Log4j is used for logging functions within the BindPlane Collector. Log4j exploit (CVE-2021-44228) applies to versions of log4j older than 2.15. These libraries are used by older versions of the collector.
Note: If you have questions on this, please reach out to BindPlane Support and we'd be happy to help you through this process
Affected Versions of the Collector
This only applied to versions of the collector that are lower than 3.28.4. Previous versions that have been upgraded to 3.28.4 and above will need run these additional steps.
New installations of 3.28.4 and above are not affected.
For both Windows and Linux installed Collectors
- Update the Collectors to the latest version within the BindPlane UI by using the Update button. Wait for update to finish and verify collector is running in the UI.
In addition, there are Log4j 2.10 libraries that are part of the launcher component only which are not updated in the BindPlane UI Update process. The steps documented below are how to manually replace those libraries.
While we recommend updating the Launcher’s dependencies, the Launcher is a very minimal process that does not log anything containing user input, or anything dynamic outside of a Java exception and should be safe from the CVE.
Additional steps needed for Linux hosts running the collector
On the Linux host running the collector
2 . Stop the BindPlane Collector service
systemctl stop bindplane-collector
- Rename launcher
mv /opt/bluemedora/bindplane-collector/launcher/lib /opt/bluemedora/bindplane-collector/launcher/lib.old
- Copy new
cp /opt/bluemedora/bindplane-collector/tmp/latest/bindplane-collector/launcher/bindplane-launcher.jar /opt/bluemedora/bindplane-collector/launcher/bindplane-launcher.jar cp -r /opt/bluemedora/bindplane-collector/tmp/latest/bindplane-collector/launcher/lib /opt/bluemedora/bindplane-collector/launcher/lib
- Start service and verify in the BindPlane UI
systemctl start bindplane-collector
- Cleanup the previous versions of the libraries
rm -rf /opt/bluemedora/bindplane-collector/tmp/previous rm -rf /opt/bluemedora/bindplane-collector/launcher/lib.old
- Optional: Verify all log4j jars are 2.15 or newer
find /opt/bluemedora -name log4j*.jar
Additional steps needs on the Windows host running the collector
On the Windows host running the collector,
2 . Stop the BindPlane Collector service from the Service UI or from the Command Line
sc stop “BindPlane Collector”
Delete the previous Launcher and Libraries
Copy new launcher
Copy new launcher libs
Start the BindPlane Collector Service either from the Command Line or Services UI
sc start “BindPlane Collector”
- Verify the Collector in BindPlane UI.
Updated almost 2 years ago