Log4j Vulnerability Background

Log4j is used for logging functions within the BindPlane Collector. Log4j exploit (CVE-2021-44228) applies to versions of log4j older than 2.15. These libraries are used by older versions of the collector.

Note: If you have questions on this, please reach out to BindPlane Support and we'd be happy to help you through this process

❗️

Affected Versions of the Collector

This only applied to versions of the collector that are lower than 3.28.4. Previous versions that have been upgraded to 3.28.4 and above will need run these additional steps.

New installations of 3.28.4 and above are not affected.

Upgrade Instructions

Update the Collector within the UI

For both Windows and Linux installed Collectors

1. Update the Collectors to the latest version within the BindPlane UI by using the Update button. Wait for update to finish and verify collector is running in the UI.

Optional: Replacement of Log4j 2.10 in the Bindplane Collector Launcher Component

In addition, there are Log4j 2.10 libraries that are part of the launcher component only which are not updated in the BindPlane UI Update process. The steps documented below are how to manually replace those libraries.

While we recommend updating the Launcher’s dependencies, the Launcher is a very minimal process that does not log anything containing user input, or anything dynamic outside of a Java exception and should be safe from the CVE.

Optional: Additional Steps to update the Launcher for Linux

Additional steps needed for Linux hosts running the collector
On the Linux host running the collector

2 . Stop the BindPlane Collector service

systemctl stop bindplane-collector

3. Rename launcher lib directory to lib.old

mv /opt/bluemedora/bindplane-collector/launcher/lib /opt/bluemedora/bindplane-collector/launcher/lib.old

4. Copy new bindplane-launcher.jar and launcher lib directory

cp /opt/bluemedora/bindplane-collector/tmp/latest/bindplane-collector/launcher/bindplane-launcher.jar /opt/bluemedora/bindplane-collector/launcher/bindplane-launcher.jar
cp -r /opt/bluemedora/bindplane-collector/tmp/latest/bindplane-collector/launcher/lib /opt/bluemedora/bindplane-collector/launcher/lib

5. Start service and verify in the BindPlane UI

systemctl start bindplane-collector

6. Cleanup the previous versions of the libraries

rm -rf /opt/bluemedora/bindplane-collector/tmp/previous
rm -rf /opt/bluemedora/bindplane-collector/launcher/lib.old

7. Optional: Verify all log4j jars are 2.15 or newer

find /opt/bluemedora -name log4j*.jar

Optional: Additional Steps for Windows

Additional steps needs on the Windows host running the collector
On the Windows host running the collector,

2 . Stop the BindPlane Collector service from the Service UI or from the Command Line

sc stop “BindPlane Collector”

2. Delete the previous Launcher and Libraries
   Delete “C:\BlueMedora\bindplane-collector\launcher\lib”
   Delete “C:\BlueMedora\bindplane-collector\launcher\bindplane-launcher.jar”

3. Copy new launcher
   From: “C:\BlueMedora\bindplane-collector\tmp\latest\bindplane-collector\launcher\bindplane-launcher.jar”
   To: “C:\BlueMedora\bindplane-collector\launcher\bindplane-launcher.jar”

4. Copy new launcher libs
   From: “C:\BlueMedora\bindplane-collector\tmp\latest\bindplane-collector\launcher\lib”
   To: “C:\BlueMedora\bindplane-collector\launcher\lib”

5. Start the BindPlane Collector Service either from the Command Line or Services UI

sc start “BindPlane Collector”

6. Verify the Collector in BindPlane UI.