Acoustic has reviewed supported versions of Tealeaf On-Premises to discover any instances of the vulnerable version of log4j. Some Tealeaf On-Premises versions have used log4j v1.x, which is vulnerable to CVE-2021-4104 and CVE-2019-17571. These are moderate vulnerabilities if JMSAppender or SocketServer are configured for use. Tealeaf On-Premises is not configured to use JMSAppender or SocketServer and, therefore, is not currently deemed to be vulnerable. Customers wishing to completely remove the impacted net/SMTPAppender.class, net/SocketAppender.class, net/JMSAppender.class, net/SocketService.class classes from log4j v1.x can do the following:
-
Download log4j-1.2.17.jar from the Downloads page
-
Replace instances of log4j-1.2.17.jar with the downloaded file (see paths below)
-
Restart Tealeaf Extractor and Tealeaf Replay services
Path to replace log4j-1.2.17.jar (v10.2 and prior):
-
<install-directory>/WebSphere/usr/servers/DOMDiffServer/apps/DOMDiffServer.war/WEB-INF/lib/log4j-1.2.17.jar
-
<install-directory>/WebSphere/usr/servers/LTSServer/apps/LTSServer.war/WEB-INF/lib/log4j-1.2.17.jar
Path to replace log4j-1.2.17.jar (v10.3):
-
<installationdirectory>\apache-tomcat\apache\webapps\LTSServer\WEB-INF\lib
-
<installationdirectory>\apache-tomcat\apache\webapps\DOMDiffServer\WEB-INF\lib
Note: If you applied mitigation prior to January 11, 2022, you will need to re-apply mitigation if you want all four classes removed. Prior to January 11, 2022 only the JMSAppender and SocketServer classes were removed from the JAR.