Accenture Search & Content Analytics has closely followed the disclosure of the Log4j 2 vulnerability CVE-2021-44228, as our product Aspire is java based.
Aspire does not use Log4j directly, and our team has reviewed our component suite and discovered no indirect use of the affected Log4j versions.
Regardless, we will continue monitoring the risk of exposure to this vulnerability by our components moving forward, and provide further guidance if necessary.
Aspire as a framework allows using non-default components custom built to target specific needs not covered by out-of-the-box components. These custom-built components could use directly or indirectly the version of Log4j 2 that is impacted by this vulnerability. Here are some steps to validate if your custom component might be exposed:
tar tvf custom-component-1.0.jar | grep log4j
The affected versions are log4j versions 2.0 up to 2.14.1.
In order to reduce the risk on any existing or new component (for log4j versions >= 2.10), we recommend adding the system property "log4j2.formatMsgNoLookups=true" at the aspire.sh or aspire.bat file:
if [ "$1" == "" ] || [ "$1" == "-startup" ] || [ "$1" == "-remote_debug" ] || [ "$1" == "-rd" ] || [ "$1" == null ] || [ "$1" == "-d" ] || [ "$1" == "-debug" ]; then # Set the java options # Initial Java heap size JAVA_INITIAL_MEMORY=1g # Maximum Java heap size JAVA_MAX_MEMORY=2g # Maximum Java Permanent Generation Size (Java 1.7 and below) or Java Metaspace Size (Java 1.8 and above) JAVA_MAX_PERM_META=256m # set the common options ASPIRE_JAVA_COMMON_OPTS="-Xmx$JAVA_MAX_MEMORY -Xms$JAVA_INITIAL_MEMORY -Dfile.encoding=UTF-8" # CVE-2021-44228 vulnerability prevention ASPIRE_JAVA_COMMON_OPTS="$ASPIRE_JAVA_COMMON_OPTS -Dlog4j2.formatMsgNoLookups=true"
rem CVE-2021-44228 vulnerability prevention set LOG4J_PREVENTION=-Dlog4j2.formatMsgNoLookups=true rem combine the Java options for Aspire set ASPIRE_JAVA_OPTS=-Xmx%JAVA_MAX_MEMORY%m -Xms%JAVA_INITIAL_MEMORY%m -XX:MaxMetaspaceSize=%JAVA_MAX_META_MEMORY%m %ASPIRE_JAVA_VERSION_OPTS% %JAVA_OPTIONS% %LOG4J_PREVENTION%
If your custom component is using the affected versions of log4j, we recommend upgrading it to use 2.12.3 or 2.17.0.
For up-to-date instructions, follow https://logging.apache.org/log4j/2.x/security.html