Last Updated: January 11, 2021 at 10:00AM (EST)

Solace is aware of the recently reported Log4j vulnerabilities CVE-2021-44832, CVE-2021-45105, CVE-2021-44228, and CVE-2021-45046. Fixes and/or workarounds are available for all of the Solace products exposed to the Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. Please refer to table CVE-2021-44228 and CVE-2021-45046 below for details regarding these vulnerabilities. For CVE-2021-45105 please refer to table CVE-2021-45105 below for details of the exposed Solace products, fixes and/or workarounds. For CVE-2021-44832 please refer to table CVE-2021-44832 below for details of the exposed Solace products, fixes and/or workarounds.

CVE-2021-44832:
Please note that only the Solace products listed below are exposed to this vulnerability. Solace products not listed below are not exposed to this vulnerability.

Impacted ProductScopeAffected VersionWorkaroundResolution
PubSub+ Cloud (Console)2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j.N/AN/AAll impacted services have been patched as of January 6, 2021 to pick up the latest Log4j version 2.17.1
PubSub+ for TanzuPubSub+ for Tanzu is not exposed to CVE-2021-44832.N/AN/AWhile PubSub+ for Tanzu is not exposed to CVE-2021-44832 Solace will issue a new version of PubSub+ for Tanzu on January 10, 2022 to pick up the latest Log4j version 2.17.1.
PubSub+ SolAdminSolAdmin is not exposed to CVE-2021-44832.N/AWhile SolAdmin is not exposed to CVE-2021-44832 due to how it uses Log4j, users can elect to implement one of the following workarounds to avoid using an impacted version of the library.

  1. Delete the log4j files from your current installation of SolAdmin. Search and delete files log4j-1.2-api-2.*.0.jar, log4j-api-2.*.0.jar and log4j-core-2.*.0.jar (default Windows location C:\Program Files (x86)\SolAdmin\lib)”. With this workaround in place, SolAdmin will be unable to generate log files.

  2. Upgrade log4j files to a version which does not have this vulnerability:


    • Delete the three log4j 2.* jar files listed in workaround #1.

      Download a copy of log4j 2.17 directly from Apache.

      Extract three 2.17 jar files and copy them to the location from which the 2.* files were deleted.

      This workaround will allow SolAdmin to continue generating log files.
While PubSub+ for SolAdmin is not exposed to CVE-2021-44832 Solace will issue a new version of PubSub+ for SolAdmin by January 25, 2022 to pick up the latest version Log4j 2.17.1.
PubSub+ Spring BootWhile PubSub+ Spring Boot itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:

  • solace-java-spring-boot-autoconfigure

  • solace-jms-spring-boot-autoconfigure

  • solace-jms-spring-boot-starter

  • solace-java-spring-boot-starter

  • solace-spring-boot-starter

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Solace recommends updating your Log4j libraries to version 2.17.1.
PubSub+ Spring CloudWhile PubSub+ Spring Cloud itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:

  • solace-spring-cloud-connector

  • spring-cloud-stream-binder-solace-core

  • spring-cloud-stream-binder-solace

  • spring-cloud-starter-stream-solace

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Solace recommends updating your Log4j libraries to version 2.17.1.
AdaptrisN/AAll versionsN/ASolace is awaiting an official statement regarding CVE-2021-44832 from Adaptris. In the meantime Adaptris has confirmed the Log4j JARs can be updated to version 2.17.1 as documented by Adaptris for CVE-2021-44228 here:
Apache Log4j Security Vulnerabilities
PubSub+ MonitorPubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affectedAll versionsThe log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change:

a- Stop the SolacePubSub+ Monitor
b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib

  • log4j-api-2.*.jar

  • log4j-core-2.*.jar

  • log4j-slf4j-impl-2.*.jar


c- Download the apache-log4j-2.17.1-bin.zip from Log4j – Download Apache Log4j 2
d- Extract the following jars from it:

  • log4j-api-2.17.1.jar

  • log4j-core-2.17.1.jar

  • log4j-slf4j-impl-2.17.1.jar


e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
f- Start the SolacePubSub+ Monitor
SL expects to fully address this issue in their next major release planned for February 2022. In the meantime, Solace recommends applying the workaround.

CVE-2021-45105:
Please note that only the Solace products listed below are exposed to this vulnerability. Solace products not listed below are not exposed to this vulnerability.

Impacted ProductScopeAffected VersionWorkaroundResolution
PubSub+ Cloud (Console)2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j.N/AN/AFixed: All impacted services have been patched as of December 20, 2021 to pick up the latest Log4j version 2.17.0
PubSub+ for TanzuPubSub+ for Tanzu is not exposed to CVE-2021-45105 as the product does not use context string lookups in Log4j formatting directives.N/AN/AFix Released: Solace has released an updated version of PubSub+ for Tanzu 2.15 which addresses these vulnerabilities. The new version can be downloaded here.
PubSub+ SolAdminSolAdmin is not exposed to CVE-2021-45105 as the product does not use context string lookups in Log4j formatting directives.N/AWhile SolAdmin is not exposed to CVE-2021-45105 due to how it uses Log4j, users can elect to implement one of the following workarounds to avoid using an impacted version of the library.

  1. Delete the log4j files from your current installation of SolAdmin. Search and delete files log4j-1.2-api-2.*.0.jar, log4j-api-2.*.0.jar and log4j-core-2.*.0.jar (default Windows location C:\Program Files (x86)\SolAdmin\lib)”. With this workaround in place, SolAdmin will be unable to generate log files.

  2. Upgrade log4j files to a version which does not have this vulnerability:


    • Delete the three log4j 2.* jar files listed in workaround #1.

      Download a copy of log4j 2.17 directly from Apache.

      Extract three 2.17 jar files and copy them to the location from which the 2.* files were deleted.

      This workaround will allow SolAdmin to continue generating log files.
While PubSub+ for SolAdmin is not exposed to CVE-2021-45105 Solace will issue a new version of PubSub+ for SolAdmin on January 25, 2022 to pick up the latest version of Log4j.
PubSub+ Spring BootWhile PubSub+ Spring Boot itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:

  • solace-java-spring-boot-autoconfigure

  • solace-jms-spring-boot-autoconfigure

  • solace-jms-spring-boot-starter

  • solace-java-spring-boot-starter

  • solace-spring-boot-starter

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Solace recommends updating your Log4j libraries to version 2.17.0.
PubSub+ Spring CloudWhile PubSub+ Spring Cloud itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:

  • solace-spring-cloud-connector

  • spring-cloud-stream-binder-solace-core

  • spring-cloud-stream-binder-solace

  • spring-cloud-starter-stream-solace

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Solace recommends updating your Log4j libraries to version 2.17.0.
PubSub+ Service Credentials LoaderN/AVersions prior to 0.4.3.N/AFix Released: As of version 0.4.3 PubSub+ Services Credential Loader no longer uses Log4j.
AdaptrisN/AAll versionsN/ASolace is awaiting an official statement regarding CVE-2021-45105 from Adaptris. In the meantime Adaptris has confirmed the Log4j JARs can be updated to version 2.17.0 as documented by Adaptris for CVE-2021-44228 here:
Apache Log4j Security Vulnerabilities
PubSub+ MonitorPubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affectedAll versionsThe log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change:

a- Stop the SolacePubSub+ Monitor
b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib

  • log4j-api-2.*.jar

  • log4j-core-2.*.jar

  • log4j-slf4j-impl-2.*.jar


c- Download the apache-log4j-2.17.0-bin.zip from Log4j – Download Apache Log4j 2
d- Extract the following jars from it:

  • log4j-api-2.17.0.jar

  • log4j-core-2.17.0.jar

  • log4j-slf4j-impl-2.17.0.jar


e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
f- Start the SolacePubSub+ Monitor
SL expects to fully address this issue in their next major release planned for February 2022. In the meantime, Solace recommends applying the workaround.

CVE-2021-44228 and CVE-2021-45046:
Please note that only the Solace products listed below were exposed to these vulnerabilities. Solace products not listed below are not exposed to these vulnerabilities.

Impacted ProductScopeAffected VersionWorkaroundResolution
PubSub+ Cloud (Console)2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j. N/AN/AFixed: All impacted services have been patched as of December 14, 2021 to pick up the latest Log4j version 2.16.0
PubSub+ for TanzuThe following 3 PubSub+ for Tanzu components are exposed to CVE-2021-44228

  • The Solace Service Broker is vulnerable to this attack from authenticated users who have permission to create services or service keys in Cloud Foundry

  • The Broker Agent, running on the individual broker VMs, is vulnerable to attacks only from applications within Tanzu that have access through their application security group and have Tanzu admin credentials.

  • The Test Errand App is vulnerable but is a short lived application which can be disabled for additional security.

  • PubSub+ for Tanzu is not exposed to CVE-2021-45046
All versionsUpdating JVM options for running services:

Service Broker
cf set-env solace-pubsub-broker-2.14.0 JAVA_OPTS '-Dlog4j2.formatMsgNoLookups=true'
cf restage solace-pubsub-broker-2.14.0

Broker Agent
Modifying the JAVA_OPTS setting on each VM in this file /var/vcap/jobs/broker_agent/bin/job_properties.sh

WARNING: The file is unique to each deployment and VM and must not be copied between VMs.

It is best to append the desired setting adjustment at the end of the file and make it additive in respect to the existing variable value. For example by appending a line like:
export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

Using 'monit' and restarting the broker_agent job for the new setting to take effect.

WARNING: Modifications to this file will not be maintained when the VM is recreated as part of any VM recovery or upgrade effort.

Test Errand App
Disable the Test Errand.
Fix Released: Solace has released an updated version of PubSub+ for Tanzu 2.15 which addresses these vulnerabilities. The new version can be downloaded here: https://network.pivotal.io/products/solace-pubsub
PubSub+ Spring BootThe artifacts of these projects have a dependency on the affected Log4j version

  • solace-java-cf-env

  • solace-java-spring-boot-autoconfigure

  • solace-jms-spring-boot-autoconfigure

  • solace-jms-spring-boot-starter

  • solace-java-spring-boot-starter

  • solace-spring-boot-starter

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Fix Released: Solace upgraded to Log4j version 2.16.0 which addresses these vulnerabilities. It's available on Maven Central and GitHub here: GitHub - SolaceProducts/solace-spring-boot: An umbrella project containing all Solace projects for Spring Boot
PubSub+ Spring CloudThe artifacts of these projects have a dependency on the affected Log4j version

  • solace-spring-cloud-connector

  • spring-cloud-stream-binder-solace-core

  • spring-cloud-stream-binder-solace

  • spring-cloud-starter-stream-solace

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Fix Released: Solace has issued version 3.2.1 which addresses these vulnerabilities. It's available on Maven Central.
PubSub+ Service Credentials LoaderN/AAll versionsN/AFix Released: Solace has issued version 0.4.3 which removes the dependency on Log4j completely.

The new version has been released and is available on Maven Central.
PubSub+ MonitorPubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affectedAll versionsThe log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change:
a- Stop the SolacePubSub+ Monitor
b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib

  • log4j-api-2.7.jar

  • log4j-core-2.7.jar

  • log4j-slf4j-impl-2.7.jar


c- Download the apache-log4j-2.16.0-bin.zip from Log4j – Download Apache Log4j 2
d- Extract the following jars from it:

  • log4j-api-2.16.0.jar

  • log4j-core-2.16.0.jar

  • log4j-slf4j-impl-2.16.0.jar

  • e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
    f- Start the SolacePubSub+ Monitor
SL expects to fully address this issue in their next major release planned for February 2022. In the meantime, Solace recommends applying the workaround.
AdaptrisN/AAll versionsN/AFix Released: Adaptris has issued version 4.3 which addresses these vulnerabilities and advise all users to upgrade to the latest version. More details are here: Apache Log4j Security Vulnerabilities
PubSub+ SolAdminSolace does not believe that these vulnerabilities can be remotely exploited in SolAdmin.All versionsThere are 2 workarounds that customers can choose based on what works best for their situation.

  1. Delete the log4j files from your current installation of SolAdmin. Search and delete files log4j-1.2-api-2.14.0.jar, log4j-api-2.14.0.jar and log4j-core-2.14.0.jar (default Windows location C:\Program Files (x86)\SolAdmin\lib)”. With this workaround in place, SolAdmin will be unable to generate log files.

  2. Upgrade log4j files to a version which does not have this vulnerability
    Delete the three log4j 2.14 jar files listed in workaround #1.
    Download a copy of log4j 2.16 directly from Apache.
    Extract three 2.16 jar files and copy them to the location from which the 2.14 files were deleted.
    This workaround will allow SolAdmin to continue generating log files.

Fix Released: Solace has issued a new version (8.19.1.9) of PubSub+ SolAdmin which addresses these vulnerabilities.

While only the products listed in the tables above are or were exposed to these vulnerabilities we want to explicitly confirm that Solace brokers (appliances, software brokers, and Solace Cloud) and APIs (C, .NET, JCSMP, JMS, JavaRTO, Java, OpenMAMA, JavaScript, and Python) were never exposed. Note that while the APIs themselves are not exposed samples for some of the Java APIs include example Log4j configuration and applications using these APIs may have elected to use Log4j for logging.

We’re Hiring! Catch the Wave!