Last Updated: March 2, 2022 at 12:00PM (EST)
Status: Resolved – Solace Product Updates Released
Solace is aware of the recently reported Log4j vulnerabilities, see below for a detailed assessment of each vulnerability:
- CVE-2022-23307
- CVE-2022-23302
- CVE-2022-23305
- CVE-2021-44832
- CVE-2021-45105
- CVE-2021-44228
- CVE-2021-45046
CVE-2022-23307, CVE-2022-23302, CVE-2022-23305:
Please note that only the Solace products listed below are exposed to this vulnerability. Solace products not listed below are not exposed to this vulnerability.
| Impacted Product | Scope | Affected Version | Workaround | Resolution |
|---|---|---|---|---|
| PubSub+ Monitor | PubSub+ Monitor is not affect by CVE-2022-23307, CVE-2022-23302 or CVE-2022-23305. PubSub+ Monitor uses an affect version of log4j 1.2.x, however the affected features in Log4j are disabled within PubSub+ Monitor. | All versions | The log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change: a- Stop the SolacePubSub+ Monitor b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
c- Download the apache-log4j-2.17.1-bin.zip from Log4j – Download Apache Log4j 2 d- Extract the following jars from it:
e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib f- Start the SolacePubSub+ Monitor | Fix Released: PubSub+ Monitor version 6.1.2 has been released to pick up the latest Log4j version 2.17.1. |
CVE-2021-44832:
Please note that only the Solace products listed below are exposed to this vulnerability. Solace products not listed below are not exposed to this vulnerability.
| Impacted Product | Scope | Affected Version | Workaround | Resolution |
|---|---|---|---|---|
| PubSub+ Cloud (Console) | 2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j. | N/A | N/A | All impacted services have been patched as of January 6, 2021 to pick up the latest Log4j version 2.17.1 |
| PubSub+ for Tanzu | PubSub+ for Tanzu is not exposed to CVE-2021-44832. | N/A | N/A | Fix Released: While PubSub+ for Tanzu is not exposed to CVE-2021-44832, Solace has released PubSub+ for Tanzu version 2.15.1 to pick up the latest Log4j version 2.17.1. |
| PubSub+ SolAdmin | SolAdmin is not exposed to CVE-2021-44832. | N/A | While SolAdmin is not exposed to CVE-2021-44832 due to how it uses Log4j, users can elect to implement one of the following workarounds to avoid using an impacted version of the library.
Delete the three log4j 2.* jar files listed in workaround #1. Download a copy of log4j 2.17 directly from Apache. Extract three 2.17 jar files and copy them to the location from which the 2.* files were deleted. This workaround will allow SolAdmin to continue generating log files. | Fix Released: While PubSub+ for SolAdmin is not exposed to CVE-2021-44832, Solace has released PubSub+ for SolAdmin version 8.20.0.6 to pick up the latest version Log4j 2.17.1. |
| PubSub+ Spring Boot | While PubSub+ Spring Boot itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:
| All versions | A developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version. | Solace recommends updating your Log4j libraries to version 2.17.1. |
| PubSub+ Spring Cloud | While PubSub+ Spring Cloud itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:
| All versions | A developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version. | Solace recommends updating your Log4j libraries to version 2.17.1. |
| Adaptris | N/A | All versions | N/A | Solace is awaiting an official statement regarding CVE-2021-44832 from Adaptris. In the meantime Adaptris has confirmed the Log4j JARs can be updated to version 2.17.1 as documented by Adaptris for CVE-2021-44228 here: Apache Log4j Security Vulnerabilities |
| PubSub+ Monitor | PubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affected | All versions | The log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change: a- Stop the SolacePubSub+ Monitor b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
c- Download the apache-log4j-2.17.1-bin.zip from Log4j – Download Apache Log4j 2 d- Extract the following jars from it:
e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib f- Start the SolacePubSub+ Monitor | Fix Released: PubSub+ Monitor version 6.1.2 has been released to pick up the latest Log4j version 2.17.1. |
CVE-2021-45105:
Please note that only the Solace products listed below are exposed to this vulnerability. Solace products not listed below are not exposed to this vulnerability.
| Impacted Product | Scope | Affected Version | Workaround | Resolution |
|---|---|---|---|---|
| PubSub+ Cloud (Console) | 2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j. | N/A | N/A | Fixed: All impacted services have been patched as of December 20, 2021 to pick up the latest Log4j version 2.17.0 |
| PubSub+ for Tanzu | PubSub+ for Tanzu is not exposed to CVE-2021-45105 as the product does not use context string lookups in Log4j formatting directives. | N/A | N/A | Fix Released: Solace has released an updated version of PubSub+ for Tanzu 2.15 which addresses these vulnerabilities. The new version can be downloaded here. |
| PubSub+ SolAdmin | SolAdmin is not exposed to CVE-2021-45105 as the product does not use context string lookups in Log4j formatting directives. | N/A | While SolAdmin is not exposed to CVE-2021-45105 due to how it uses Log4j, users can elect to implement one of the following workarounds to avoid using an impacted version of the library.
Delete the three log4j 2.* jar files listed in workaround #1. Download a copy of log4j 2.17 directly from Apache. Extract three 2.17 jar files and copy them to the location from which the 2.* files were deleted. This workaround will allow SolAdmin to continue generating log files. | Fix Released: While PubSub+ for SolAdmin is not exposed to CVE-2021-45105, Solace has released PubSub+ for SolAdmin version 8.20.0.6 to pick up the latest version Log4j 2.17.1. |
| PubSub+ Spring Boot | While PubSub+ Spring Boot itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:
| All versions | A developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version. | Solace recommends updating your Log4j libraries to version 2.17.0. |
| PubSub+ Spring Cloud | While PubSub+ Spring Cloud itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:
| All versions | A developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version. | Solace recommends updating your Log4j libraries to version 2.17.0. |
| PubSub+ Service Credentials Loader | N/A | Versions prior to 0.4.3. | N/A | Fix Released: As of version 0.4.3 PubSub+ Services Credential Loader no longer uses Log4j. |
| Adaptris | N/A | All versions | N/A | Solace is awaiting an official statement regarding CVE-2021-45105 from Adaptris. In the meantime Adaptris has confirmed the Log4j JARs can be updated to version 2.17.0 as documented by Adaptris for CVE-2021-44228 here: Apache Log4j Security Vulnerabilities |
| PubSub+ Monitor | PubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affected | All versions | The log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change: a- Stop the SolacePubSub+ Monitor b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
c- Download the apache-log4j-2.17.0-bin.zip from Log4j – Download Apache Log4j 2 d- Extract the following jars from it:
e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib f- Start the SolacePubSub+ Monitor | Fix Released: PubSub+ Monitor version 6.1.2 has been released to pick up the latest Log4j version 2.17.1. |
CVE-2021-44228 and CVE-2021-45046:
Please note that only the Solace products listed below were exposed to these vulnerabilities. Solace products not listed below are not exposed to these vulnerabilities.
| Impacted Product | Scope | Affected Version | Workaround | Resolution |
|---|---|---|---|---|
| PubSub+ Cloud (Console) | 2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j. | N/A | N/A | Fixed: All impacted services have been patched as of December 14, 2021 to pick up the latest Log4j version 2.16.0 |
| PubSub+ for Tanzu | The following 3 PubSub+ for Tanzu components are exposed to CVE-2021-44228
PubSub+ for Tanzu is not exposed to CVE-2021-45046 | All versions | Updating JVM options for running services: Service Broker cf set-env solace-pubsub-broker-2.14.0 JAVA_OPTS '-Dlog4j2.formatMsgNoLookups=true'cf restage solace-pubsub-broker-2.14.0Broker Agent Modifying the JAVA_OPTS setting on each VM in this file /var/vcap/jobs/broker_agent/bin/job_properties.sh WARNING: The file is unique to each deployment and VM and must not be copied between VMs. It is best to append the desired setting adjustment at the end of the file and make it additive in respect to the existing variable value. For example by appending a line like: export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"Using 'monit' and restarting the broker_agent job for the new setting to take effect. WARNING: Modifications to this file will not be maintained when the VM is recreated as part of any VM recovery or upgrade effort. Test Errand App Disable the Test Errand. | Fix Released: Solace has released an updated version of PubSub+ for Tanzu 2.15 which addresses these vulnerabilities. The new version can be downloaded here: https://network.pivotal.io/products/solace-pubsub |
| PubSub+ Spring Boot | The artifacts of these projects have a dependency on the affected Log4j version
| All versions | A developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version. | Fix Released: Solace upgraded to Log4j version 2.16.0 which addresses these vulnerabilities. It's available on Maven Central and GitHub here: GitHub - SolaceProducts/solace-spring-boot: An umbrella project containing all Solace projects for Spring Boot |
| PubSub+ Spring Cloud | The artifacts of these projects have a dependency on the affected Log4j version
| All versions | A developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version. | Fix Released: Solace has issued version 3.2.1 which addresses these vulnerabilities. It's available on Maven Central. |
| PubSub+ Service Credentials Loader | N/A | All versions | N/A | Fix Released: Solace has issued version 0.4.3 which removes the dependency on Log4j completely. The new version has been released and is available on Maven Central. |
| PubSub+ Monitor | PubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affected | All versions | The log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change: a- Stop the SolacePubSub+ Monitor b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
c- Download the apache-log4j-2.16.0-bin.zip from Log4j – Download Apache Log4j 2 d- Extract the following jars from it:
e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib f- Start the SolacePubSub+ Monitor | Fix Released: PubSub+ Monitor version 6.1.2 has been released to pick up the latest Log4j version 2.17.1. |
| Adaptris | N/A | All versions | N/A | Fix Released: Adaptris has issued version 4.3 which addresses these vulnerabilities and advise all users to upgrade to the latest version. More details are here: Apache Log4j Security Vulnerabilities |
| PubSub+ SolAdmin | Solace does not believe that these vulnerabilities can be remotely exploited in SolAdmin. | All versions | There are 2 workarounds that customers can choose based on what works best for their situation.
| Fix Released: Solace has issued a new version (8.19.1.9) of PubSub+ SolAdmin which addresses these vulnerabilities. |
While only the products listed in the tables above are or were exposed to these vulnerabilities we want to explicitly confirm that Solace brokers (appliances, software brokers, and Solace Cloud) and APIs (C, .NET, JCSMP, JMS, JavaRTO, Java, OpenMAMA, JavaScript, and Python) were never exposed. Note that while the APIs themselves are not exposed samples for some of the Java APIs include example Log4j configuration and applications using these APIs may have elected to use Log4j for logging.