FootPrints 20.x - Log4j 1.x mitigation steps

Knowledge Article

Article Number

000391563

Old Article Number

Article Type

FAQ/Procedural

Title

FootPrints 20.x - Log4j 1.x mitigation steps

Summary

FootPrints 20.x - Log4j 1.x mitigation

Product

FootPrints

Component

FootPrints Version 20.21.01

Applies to

FootPrints 12.x / 20.x

Question

How do I remove vulnerable class for Log4j 1.x mitigation?

Answer

Note: log4j component has been upgraded on footprints version 20.21.02.01 version or later

https://docs.bmc.com/docs/fp2021/release-notes/2021-release-02-patch-1

Log4j 1.x mitigation steps

The class files associated with each of these CVEs are as below, steps to delete the class/package remain the same.
CVE-20210-4104 - /net/JMSAppender.class

CVE-2022-23302 - /net/JMSSink.class

CVE-2022-23305 - /jdbc/JDBCAppender.class [The jdbc package/folder can be deleted]

CVE-2022-23307 - /chainsaw/* [The entire chainsaw package/folder is to be deleted]

For example:-
The below steps outline the steps to locate and update the Log4j-1.2*.jar file on the FootPrints application server.

Remove the " JMSAppender.class" from the "log4j-1.2.*.jar".
The following command will remove the " JMSAppender.class" from the specified "log4j-1.2.*.jar".

Linux
First stop tomcat service then run this command
zip -q -d "$LOG4J_JAR" org/apache/log4j/net/JMSAppender.class

NOTE: Replace the reference to "$LOG4J_JAR" with the fully-qualified path to the "log4j-1.2.*.jar".

Linux Example for FootPrints
zip -q -d /opt/bmc/Footprints/web/WEB-INF/lib/log4j-1.2.17_bmc.jar org/apache/log4j/net/JMSAppender.class

Windows

Go to C:\Program Files\BMC Software\FootPrints\web\WEB-INF\lib --- change path if you installed to a different location:
First Stop the tomcat service then follow these steps:-
1. Rename the "log4j-1.2.*.jar" to "log4j-1.2.*.jar.zip" to enable Windows Explorer to Open the file.

2. Drill-down into the "log4j-1.2.*.jar.zip" using Windows Explorer to select the " org/apache/log4j/net/JMSAppender.class ".

3. Delete the " JMSAppender.class" by right-clicking to select "Delete" from the Context-menu.

4. Click "Yes" on the "Delete File" dialog and the JMSAppender.class will be deleted from the selected "log4j-1.2.*.jar.zip".
Are you sure you want to permanently delete this file?

JMSAppender.class
Type: CLASS File
Date modified: 5/6/2012 2:00 PM
Size: 7.85 KB

5. Rename the "log4j-1.2.*.jar.zip" back to "log4j-1.2.*.jar".

Attachment(s):