DEV Community

Benjamin Reed for OpenNMS

Posted on • Originally published at opennms.com on

OpenNMS Products Affected by Apache Log4j Vulnerability CVE-2021-44228

A serious remote code execution vulnerability (RCE) in Apache Log4j could affect customers running some OpenNMS products. This RCE could allow an attacker to compromise your system by causing OpenNMS to log specially crafted messages into system log files for malicious purposes. Apache Log4j could interpret one of those messages to download, run, or install malicious software.

To mitigate this risk, consult the following list to install the latest OpenNMS software upgrades or work-around.

For more information about the Log4j vulnerability, see the Apache Log4j security notice for CVE-2021-44228 at https://logging.apache.org/log4j/2.x/security.html.

Version: Meridian 2021.1.7, 2020.1.15, 2019.1.26, or earlier

  • Work-around :

    Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line:

    log4j.formatMsgNoLookups=true and restart Meridian

  • Permanent Fix:

    Upgrade to Meridian 2021.1.8, 2020.1.15, 2019.1.27, or newer

Version: Horizon 29.0.2 or earlier

  • Work-around :

    Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line:

    log4j.formatMsgNoLookups=true and restart Horizon

  • Permanent Fix:

    Upgrade to Horizon 29.0.3 or newer

Version: PoweredBy OpenNMS

  • Work-around :

    Not available

  • Permanent Fix:

    Pull from latest GitHub source that has Log4j2 v2.15.0 or newer in pom.xml

Version: Minions derived from Meridian 2021.1.7, 2020.1.15, 2019.1.26, Horizon 29.0.2, or earlier

  • Work-around :

    For each Minion, edit /opt/minion/etc/config.properties config file to include the line:

    log4j.formatMsgNoLookups=true and restart the Minion

  • Permanent Fix:

    Upgrade to Minion included with Meridian 2021.1.8, 2020.1.15, 2019.1.27, Horizon 29.0.3, or newer

Version: Minion Appliance – all versions

  • Work-around : Not applicable – Automatic Updates
  • Permanent Fix: Appliance service provides automatic updates

Version: Sentinels derived from Meridian 2021.1.7, 2020.1.15, 2019.1.26, Horizon 29.0.2, or earlier

  • Work-around : For each Sentinel, edit /opt/sentinel/etc/config.properties config file to include the line: log4j.formatMsgNoLookups=true and restart Sentinel
  • Permanent Fix: Upgrade to Sentinel included with Meridian 2021.1.8, 2020.1.15, 2019.1.27, Horizon 29.0.3, or newer

Discussion (0)