Log4j Patch Instructions
Log4j Vulnerability Background
Log4j is used for logging functions within the BindPlane Collector. Log4j exploit (CVE-2021-44228) applies to versions of log4j older than 2.15. These libraries are used by older versions of the collector.
Note: If you have questions on this, please reach out to BindPlane Support and we'd be happy to help you through this process
Affected Versions of the Collector
This only applied to versions of the collector that are lower than 3.28.4. Previous versions that have been upgraded to 3.28.4 and above will need run these additional steps.
New installations of 3.28.4 and above are not affected.
Upgrade Instructions
Update the Collector within the UI
For both Windows and Linux installed Collectors
- Update the Collectors to the latest version within the BindPlane UI by using the Update button. Wait for update to finish and verify collector is running in the UI.
Optional: Replacement of Log4j 2.10 in the Bindplane Collector Launcher Component
In addition, there are Log4j 2.10 libraries that are part of the launcher component only which are not updated in the BindPlane UI Update process. The steps documented below are how to manually replace those libraries.
While we recommend updating the Launcher’s dependencies, the Launcher is a very minimal process that does not log anything containing user input, or anything dynamic outside of a Java exception and should be safe from the CVE.
Optional: Additional Steps to update the Launcher for Linux
Additional steps needed for Linux hosts running the collector
On the Linux host running the collector
2 . Stop the BindPlane Collector service
systemctl stop bindplane-collector
- Rename launcher
lib
directory tolib.old
mv /opt/bluemedora/bindplane-collector/launcher/lib /opt/bluemedora/bindplane-collector/launcher/lib.old
- Copy new
bindplane-launcher.jar
and launcherlib
directory
cp /opt/bluemedora/bindplane-collector/tmp/latest/bindplane-collector/launcher/bindplane-launcher.jar /opt/bluemedora/bindplane-collector/launcher/bindplane-launcher.jar
cp -r /opt/bluemedora/bindplane-collector/tmp/latest/bindplane-collector/launcher/lib /opt/bluemedora/bindplane-collector/launcher/lib
- Start service and verify in the BindPlane UI
systemctl start bindplane-collector
- Cleanup the previous versions of the libraries
rm -rf /opt/bluemedora/bindplane-collector/tmp/previous
rm -rf /opt/bluemedora/bindplane-collector/launcher/lib.old
- Optional: Verify all log4j jars are 2.15 or newer
find /opt/bluemedora -name log4j*.jar
Optional: Additional Steps for Windows
Additional steps needs on the Windows host running the collector
On the Windows host running the collector,
2 . Stop the BindPlane Collector service from the Service UI or from the Command Line
sc stop “BindPlane Collector”
-
Delete the previous Launcher and Libraries
Delete“C:\BlueMedora\bindplane-collector\launcher\lib”
Delete“C:\BlueMedora\bindplane-collector\launcher\bindplane-launcher.jar”
-
Copy new launcher
From:“C:\BlueMedora\bindplane-collector\tmp\latest\bindplane-collector\launcher\bindplane-launcher.jar”
To:“C:\BlueMedora\bindplane-collector\launcher\bindplane-launcher.jar”
-
Copy new launcher libs
From:“C:\BlueMedora\bindplane-collector\tmp\latest\bindplane-collector\launcher\lib”
To:“C:\BlueMedora\bindplane-collector\launcher\lib”
-
Start the BindPlane Collector Service either from the Command Line or Services UI
sc start “BindPlane Collector”
- Verify the Collector in BindPlane UI.
Updated about 3 years ago