Search Content Analytics

Page tree
Skip to end of metadata
Go to start of metadata

Accenture Search & Content Analytics has closely followed the disclosure of the Log4j 2 vulnerability CVE-2021-44228, as our product Aspire is java based.

Aspire does not use Log4j directly, and our team has reviewed our component suite and discovered no indirect use of the affected Log4j versions.

Regardless, we will continue monitoring the risk of exposure to this vulnerability by our components moving forward, and provide further guidance if necessary.

Custom Components

Aspire as a framework allows using non-default components custom built to target specific needs not covered by out-of-the-box components. These custom-built components could use directly or indirectly the version of Log4j 2 that is impacted by this vulnerability. Here are some steps to validate if your custom component might be exposed:

tar tvf custom-component-1.0.jar | grep log4j

The affected versions are log4j versions 2.0 up to 2.14.1.

Future proofing your Aspire deployment

In order to reduce the risk on any existing or new component (for log4j versions >= 2.10), we recommend adding the system property "log4j2.formatMsgNoLookups=true" at the aspire.sh or aspire.bat file:


aspire.sh:

if [ "$1" == "" ] || [ "$1" == "-startup" ] || [ "$1" == "-remote_debug" ] || [ "$1" == "-rd" ] || [ "$1" == null ] || [ "$1" == "-d" ] || [ "$1" == "-debug" ]; then
	# Set the java options
	# Initial Java heap size
	JAVA_INITIAL_MEMORY=1g

	# Maximum  Java heap size
	JAVA_MAX_MEMORY=2g

	# Maximum Java Permanent Generation Size (Java 1.7 and below) or Java Metaspace Size (Java 1.8 and above)
	JAVA_MAX_PERM_META=256m

	# set the common options
	ASPIRE_JAVA_COMMON_OPTS="-Xmx$JAVA_MAX_MEMORY -Xms$JAVA_INITIAL_MEMORY -Dfile.encoding=UTF-8"
    
    # CVE-2021-44228 vulnerability prevention
    ASPIRE_JAVA_COMMON_OPTS="$ASPIRE_JAVA_COMMON_OPTS -Dlog4j2.formatMsgNoLookups=true"

aspire.bat

rem CVE-2021-44228 vulnerability prevention
set LOG4J_PREVENTION=-Dlog4j2.formatMsgNoLookups=true
rem combine the Java options for Aspire
set ASPIRE_JAVA_OPTS=-Xmx%JAVA_MAX_MEMORY%m -Xms%JAVA_INITIAL_MEMORY%m -XX:MaxMetaspaceSize=%JAVA_MAX_META_MEMORY%m %ASPIRE_JAVA_VERSION_OPTS% %JAVA_OPTIONS% %LOG4J_PREVENTION%


If your custom component is using the affected versions of log4j, we recommend upgrading it to use 2.12.3 or 2.17.0.

For up-to-date instructions, follow https://logging.apache.org/log4j/2.x/security.html

  • No labels