Last Updated: March 2, 2022 at 12:00PM (EST)
Status: Resolved – Solace Product Updates Released

Solace is aware of the recently reported Log4j vulnerabilities, see below for a detailed assessment of each vulnerability:

CVE-2022-23307, CVE-2022-23302, CVE-2022-23305:
Please note that only the Solace products listed below are exposed to this vulnerability. Solace products not listed below are not exposed to this vulnerability.

Impacted ProductScopeAffected VersionWorkaroundResolution
PubSub+ MonitorPubSub+ Monitor is not affect by CVE-2022-23307, CVE-2022-23302 or CVE-2022-23305. PubSub+ Monitor uses an affect version of log4j 1.2.x, however the affected features in Log4j are disabled within PubSub+ Monitor.All versionsThe log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change:

a- Stop the SolacePubSub+ Monitor
b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib

  • log4j-api-2.*.jar

  • log4j-core-2.*.jar

  • log4j-slf4j-impl-2.*.jar


c- Download the apache-log4j-2.17.1-bin.zip from Log4j – Download Apache Log4j 2
d- Extract the following jars from it:

  • log4j-api-2.17.1.jar

  • log4j-core-2.17.1.jar

  • log4j-slf4j-impl-2.17.1.jar


e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
f- Start the SolacePubSub+ Monitor
Fix Released: PubSub+ Monitor version 6.1.2 has been released to pick up the latest Log4j version 2.17.1.

CVE-2021-44832:
Please note that only the Solace products listed below are exposed to this vulnerability. Solace products not listed below are not exposed to this vulnerability.

Impacted ProductScopeAffected VersionWorkaroundResolution
PubSub+ Cloud (Console)2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j.N/AN/AAll impacted services have been patched as of January 6, 2021 to pick up the latest Log4j version 2.17.1
PubSub+ for TanzuPubSub+ for Tanzu is not exposed to CVE-2021-44832.N/AN/AFix Released: While PubSub+ for Tanzu is not exposed to CVE-2021-44832, Solace has released PubSub+ for Tanzu version 2.15.1 to pick up the latest Log4j version 2.17.1.
PubSub+ SolAdminSolAdmin is not exposed to CVE-2021-44832.N/AWhile SolAdmin is not exposed to CVE-2021-44832 due to how it uses Log4j, users can elect to implement one of the following workarounds to avoid using an impacted version of the library.

  1. Delete the log4j files from your current installation of SolAdmin. Search and delete files log4j-1.2-api-2.*.0.jar, log4j-api-2.*.0.jar and log4j-core-2.*.0.jar (default Windows location C:\Program Files (x86)\SolAdmin\lib)”. With this workaround in place, SolAdmin will be unable to generate log files.

  2. Upgrade log4j files to a version which does not have this vulnerability:


    • Delete the three log4j 2.* jar files listed in workaround #1.

      Download a copy of log4j 2.17 directly from Apache.

      Extract three 2.17 jar files and copy them to the location from which the 2.* files were deleted.

      This workaround will allow SolAdmin to continue generating log files.
Fix Released: While PubSub+ for SolAdmin is not exposed to CVE-2021-44832, Solace has released PubSub+ for SolAdmin version 8.20.0.6 to pick up the latest version Log4j 2.17.1.
PubSub+ Spring BootWhile PubSub+ Spring Boot itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:

  • solace-java-spring-boot-autoconfigure

  • solace-jms-spring-boot-autoconfigure

  • solace-jms-spring-boot-starter

  • solace-java-spring-boot-starter

  • solace-spring-boot-starter

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Solace recommends updating your Log4j libraries to version 2.17.1.
PubSub+ Spring CloudWhile PubSub+ Spring Cloud itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:

  • solace-spring-cloud-connector

  • spring-cloud-stream-binder-solace-core

  • spring-cloud-stream-binder-solace

  • spring-cloud-starter-stream-solace

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Solace recommends updating your Log4j libraries to version 2.17.1.
AdaptrisN/AAll versionsN/ASolace is awaiting an official statement regarding CVE-2021-44832 from Adaptris. In the meantime Adaptris has confirmed the Log4j JARs can be updated to version 2.17.1 as documented by Adaptris for CVE-2021-44228 here:
Apache Log4j Security Vulnerabilities
PubSub+ MonitorPubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affectedAll versionsThe log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change:

a- Stop the SolacePubSub+ Monitor
b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib

  • log4j-api-2.*.jar

  • log4j-core-2.*.jar

  • log4j-slf4j-impl-2.*.jar


c- Download the apache-log4j-2.17.1-bin.zip from Log4j – Download Apache Log4j 2
d- Extract the following jars from it:

  • log4j-api-2.17.1.jar

  • log4j-core-2.17.1.jar

  • log4j-slf4j-impl-2.17.1.jar


e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
f- Start the SolacePubSub+ Monitor
Fix Released: PubSub+ Monitor version 6.1.2 has been released to pick up the latest Log4j version 2.17.1.

CVE-2021-45105:
Please note that only the Solace products listed below are exposed to this vulnerability. Solace products not listed below are not exposed to this vulnerability.

Impacted ProductScopeAffected VersionWorkaroundResolution
PubSub+ Cloud (Console)2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j.N/AN/AFixed: All impacted services have been patched as of December 20, 2021 to pick up the latest Log4j version 2.17.0
PubSub+ for TanzuPubSub+ for Tanzu is not exposed to CVE-2021-45105 as the product does not use context string lookups in Log4j formatting directives.N/AN/AFix Released: Solace has released an updated version of PubSub+ for Tanzu 2.15 which addresses these vulnerabilities. The new version can be downloaded here.
PubSub+ SolAdminSolAdmin is not exposed to CVE-2021-45105 as the product does not use context string lookups in Log4j formatting directives.N/AWhile SolAdmin is not exposed to CVE-2021-45105 due to how it uses Log4j, users can elect to implement one of the following workarounds to avoid using an impacted version of the library.

  1. Delete the log4j files from your current installation of SolAdmin. Search and delete files log4j-1.2-api-2.*.0.jar, log4j-api-2.*.0.jar and log4j-core-2.*.0.jar (default Windows location C:\Program Files (x86)\SolAdmin\lib)”. With this workaround in place, SolAdmin will be unable to generate log files.

  2. Upgrade log4j files to a version which does not have this vulnerability:


    • Delete the three log4j 2.* jar files listed in workaround #1.

      Download a copy of log4j 2.17 directly from Apache.

      Extract three 2.17 jar files and copy them to the location from which the 2.* files were deleted.

      This workaround will allow SolAdmin to continue generating log files.
Fix Released: While PubSub+ for SolAdmin is not exposed to CVE-2021-45105, Solace has released PubSub+ for SolAdmin version 8.20.0.6 to pick up the latest version Log4j 2.17.1.
PubSub+ Spring BootWhile PubSub+ Spring Boot itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:

  • solace-java-spring-boot-autoconfigure

  • solace-jms-spring-boot-autoconfigure

  • solace-jms-spring-boot-starter

  • solace-java-spring-boot-starter

  • solace-spring-boot-starter

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Solace recommends updating your Log4j libraries to version 2.17.0.
PubSub+ Spring CloudWhile PubSub+ Spring Cloud itself has no dependencies on Log4j, it uses Spring Boot which does. The following Solace projects have sub-dependencies on an affected Log4j version:

  • solace-spring-cloud-connector

  • spring-cloud-stream-binder-solace-core

  • spring-cloud-stream-binder-solace

  • spring-cloud-starter-stream-solace

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Solace recommends updating your Log4j libraries to version 2.17.0.
PubSub+ Service Credentials LoaderN/AVersions prior to 0.4.3.N/AFix Released: As of version 0.4.3 PubSub+ Services Credential Loader no longer uses Log4j.
AdaptrisN/AAll versionsN/ASolace is awaiting an official statement regarding CVE-2021-45105 from Adaptris. In the meantime Adaptris has confirmed the Log4j JARs can be updated to version 2.17.0 as documented by Adaptris for CVE-2021-44228 here:
Apache Log4j Security Vulnerabilities
PubSub+ MonitorPubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affectedAll versionsThe log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change:

a- Stop the SolacePubSub+ Monitor
b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib

  • log4j-api-2.*.jar

  • log4j-core-2.*.jar

  • log4j-slf4j-impl-2.*.jar


c- Download the apache-log4j-2.17.0-bin.zip from Log4j – Download Apache Log4j 2
d- Extract the following jars from it:

  • log4j-api-2.17.0.jar

  • log4j-core-2.17.0.jar

  • log4j-slf4j-impl-2.17.0.jar


e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
f- Start the SolacePubSub+ Monitor
Fix Released: PubSub+ Monitor version 6.1.2 has been released to pick up the latest Log4j version 2.17.1.

CVE-2021-44228 and CVE-2021-45046:
Please note that only the Solace products listed below were exposed to these vulnerabilities. Solace products not listed below are not exposed to these vulnerabilities.

Impacted ProductScopeAffected VersionWorkaroundResolution
PubSub+ Cloud (Console)2 micro-services that host PubSub+ Cloud console were running the impacted versions of Log4j. N/AN/AFixed: All impacted services have been patched as of December 14, 2021 to pick up the latest Log4j version 2.16.0
PubSub+ for TanzuThe following 3 PubSub+ for Tanzu components are exposed to CVE-2021-44228

  • The Solace Service Broker is vulnerable to this attack from authenticated users who have permission to create services or service keys in Cloud Foundry

  • The Broker Agent, running on the individual broker VMs, is vulnerable to attacks only from applications within Tanzu that have access through their application security group and have Tanzu admin credentials.

  • The Test Errand App is vulnerable but is a short lived application which can be disabled for additional security.

  • PubSub+ for Tanzu is not exposed to CVE-2021-45046
All versionsUpdating JVM options for running services:

Service Broker
cf set-env solace-pubsub-broker-2.14.0 JAVA_OPTS '-Dlog4j2.formatMsgNoLookups=true'
cf restage solace-pubsub-broker-2.14.0

Broker Agent
Modifying the JAVA_OPTS setting on each VM in this file /var/vcap/jobs/broker_agent/bin/job_properties.sh

WARNING: The file is unique to each deployment and VM and must not be copied between VMs.

It is best to append the desired setting adjustment at the end of the file and make it additive in respect to the existing variable value. For example by appending a line like:
export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

Using 'monit' and restarting the broker_agent job for the new setting to take effect.

WARNING: Modifications to this file will not be maintained when the VM is recreated as part of any VM recovery or upgrade effort.

Test Errand App
Disable the Test Errand.
Fix Released: Solace has released an updated version of PubSub+ for Tanzu 2.15 which addresses these vulnerabilities. The new version can be downloaded here: https://network.pivotal.io/products/solace-pubsub
PubSub+ Spring BootThe artifacts of these projects have a dependency on the affected Log4j version

  • solace-java-cf-env

  • solace-java-spring-boot-autoconfigure

  • solace-jms-spring-boot-autoconfigure

  • solace-jms-spring-boot-starter

  • solace-java-spring-boot-starter

  • solace-spring-boot-starter

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Fix Released: Solace upgraded to Log4j version 2.16.0 which addresses these vulnerabilities. It's available on Maven Central and GitHub here: GitHub - SolaceProducts/solace-spring-boot: An umbrella project containing all Solace projects for Spring Boot
PubSub+ Spring CloudThe artifacts of these projects have a dependency on the affected Log4j version

  • solace-spring-cloud-connector

  • spring-cloud-stream-binder-solace-core

  • spring-cloud-stream-binder-solace

  • spring-cloud-starter-stream-solace

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Log4j libraries and use a non affected version.Fix Released: Solace has issued version 3.2.1 which addresses these vulnerabilities. It's available on Maven Central.
PubSub+ Service Credentials LoaderN/AAll versionsN/AFix Released: Solace has issued version 0.4.3 which removes the dependency on Log4j completely.

The new version has been released and is available on Maven Central.
PubSub+ MonitorPubSub+ Monitor main functionality is NOT affected. The Solace Event Module component (used for syslog), is affectedAll versionsThe log4j* jars can be updated in the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib to resolve both CVEs without a problem. Here is how to implement this change:
a- Stop the SolacePubSub+ Monitor
b- Remove the following jars from \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib

  • log4j-api-2.7.jar

  • log4j-core-2.7.jar

  • log4j-slf4j-impl-2.7.jar


c- Download the apache-log4j-2.16.0-bin.zip from Log4j – Download Apache Log4j 2
d- Extract the following jars from it:

  • log4j-api-2.16.0.jar

  • log4j-core-2.16.0.jar

  • log4j-slf4j-impl-2.16.0.jar

  • e- Add the above jars to the \SolacePubSubMonitor\rtvapm\solmon\soleventmodule\lib
    f- Start the SolacePubSub+ Monitor
Fix Released: PubSub+ Monitor version 6.1.2 has been released to pick up the latest Log4j version 2.17.1.
AdaptrisN/AAll versionsN/AFix Released: Adaptris has issued version 4.3 which addresses these vulnerabilities and advise all users to upgrade to the latest version. More details are here: Apache Log4j Security Vulnerabilities
PubSub+ SolAdminSolace does not believe that these vulnerabilities can be remotely exploited in SolAdmin.All versionsThere are 2 workarounds that customers can choose based on what works best for their situation.

  1. Delete the log4j files from your current installation of SolAdmin. Search and delete files log4j-1.2-api-2.14.0.jar, log4j-api-2.14.0.jar and log4j-core-2.14.0.jar (default Windows location C:\Program Files (x86)\SolAdmin\lib)”. With this workaround in place, SolAdmin will be unable to generate log files.

  2. Upgrade log4j files to a version which does not have this vulnerability
    Delete the three log4j 2.14 jar files listed in workaround #1.
    Download a copy of log4j 2.16 directly from Apache.
    Extract three 2.16 jar files and copy them to the location from which the 2.14 files were deleted.
    This workaround will allow SolAdmin to continue generating log files.

Fix Released: Solace has issued a new version (8.19.1.9) of PubSub+ SolAdmin which addresses these vulnerabilities.

While only the products listed in the tables above are or were exposed to these vulnerabilities we want to explicitly confirm that Solace brokers (appliances, software brokers, and Solace Cloud) and APIs (C, .NET, JCSMP, JMS, JavaRTO, Java, OpenMAMA, JavaScript, and Python) were never exposed. Note that while the APIs themselves are not exposed samples for some of the Java APIs include example Log4j configuration and applications using these APIs may have elected to use Log4j for logging.

[class^="wpforms-"]
[class^="wpforms-"]