Translate
Dear clients,
A critical vulnerability was discovered in Log4j, a widely used Apache logging framework. This library is used in applications worldwide, including MultiTrans, which is vulnerable to exploitation of this Apache bug.
We encourage all customers to mitigate the risk immediately as follows.
- RWS hosted customers: RWS is handling the mitigation directly. You may be notified if a restart of your server is required.
- On-premise (self-hosted) customers: Please take the following steps as soon as possible.
Steps to mitigate this vulnerability:
- Stop the MultiTrans Flow service.
- Add the parameter -Dlog4j2.formatMsgNoLookups=true to –JvmOptions in C:\Program Files\Donnelley\MultiTrans Flow 64\service_install.bat.
- Copy the attached xml file to C:\Program Files\Donnelley\MultiTrans Flow 64\JBoss - EWS\share\apache-tomcat-X.X.XX\webapps\ROOT\WEB-INF\classes, where X.X.XX is the precise Apache Tomcat version number you have installed.
<?xml version="1.0" encoding="UTF-8" ?> <Configuration status="WARN" monitorInterval="30"> <Appenders> <Async name="loadTimeLogAsync"> <AppenderRef ref="loadTimeLog" /> </Async> <!-- FlowLogAppender --> <RollingFile name="FlowLogAppender" fileName = "logs/flow_log.log" filePattern="logs/flow_log-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile > <!-- FlowAllLogAppender --> <RollingFile name="FlowAllLogAppender" fileName = "logs/flow_all_log.log" filePattern="logs/flow_all_log-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile > <!-- Standard out appender --> <Console name="stdout" target="SYSTEM_OUT"> <PatternLayout> <Pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</Pattern> </PatternLayout> </Console> <!-- Hibernate appender --> <RollingFile name="hibernateDefault" fileName = "logs/Hibernate.log" filePattern="logs/Hibernate-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <Pattern>%d{ABSOLUTE} %5p %F:%L - %m{nolookup}%n</Pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile> <!-- Metrics appender --> <RollingFile name="metrics" fileName = "logs/Metrics.log" filePattern="logs/Metrics-%d{yyyy-MM-dd_HHmm}.log.gz" append = "true"> <PatternLayout> <Pattern>%d{yyyy/MM/dd HH:mm:ss.SSS},%m{nolookup}%n</Pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile> <!-- External Web Service appender --> <RollingFile name="externalWebService" fileName = "logs/ExternalWebService.log" filePattern="logs/ExternalWebService-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <Pattern>%d{ABSOLUTE} %5p %F:%L - %m{nolookup}%n</Pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile> <!-- Sessions appender --> <RollingFile name="sessionLog" fileName = "logs/SessionLog.log" filePattern="logs/SessionLog-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <Pattern>%m{nolookup}%n</Pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile> <!-- System Settings appender --> <RollingFile name="systemSettingsLog" fileName = "logs/SystemSettingsLog.log" filePattern="logs/SystemSettingsLog-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <Pattern>"%d{yyyy/MM/dd HH:mm:ss} - %m{nolookup}%n</Pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile> <!-- Flow API appender --> <RollingFile name="flowApiLog" fileName = "logs/FlowAPI.log" filePattern="logs/FlowAPI-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <Pattern>%d{yyyy/MM/dd HH:mm:ss} : %m{nolookup}%n</Pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile> <!-- C3P0 appender --> <RollingFile name="c3p0Log" fileName = "logs/c3p0.log" filePattern="logs/c3p0-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <Pattern>%d{yyyy/MM/dd HH:mm:ss} : %m{nolookup}%n</Pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile> <!-- Access / Load Time appender --> <RollingFile name="loadTimeLog" fileName = "logs/UsageLog.log" filePattern="logs/UsageLog-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <Pattern>%d{yyyy/MM/dd HH:mm:ss} : %m{nolookup}%n</Pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile> <!-- FlowLogAppender --> <RollingFile name="FlowMailLogAppender" fileName = "maillog/flow_mail_log.log" filePattern="logs/flow_mail_log-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile > <!-- SIGMALogAppender --> <RollingFile name="SIGMALogAppender" fileName = "logs/sigma.log" filePattern="logs/sigma-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile > <!-- SIGMALogAppender for QA --> <RollingFile name="SIGMALogAppenderQA" fileName = "C:\inetpub\wwwroot\sigma.htm" filePattern="logs/sigma-%d{yyyy-MM-dd_HHmm}.log.gz" > <PatternLayout> <pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern> </PatternLayout> <Policies> <CronTriggeringPolicy schedule="0 0 0 * * ?"/> </Policies> </RollingFile > </Appenders> <Loggers> <!-- Hibernate loggers --> <Logger name="org.hibernate" additivity="false" level ="error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="org.hibernate.hql.ast.AST" additivity="false" level ="error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="org.hibernate.SQL" additivity="false" level = "error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="org.hibernate.type" additivity="false" level = "error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="org.hibernate.tool.hbm2ddl" additivity="false" level = "error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="org.hibernate.hql" additivity="false" level = "error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="org.hibernate.cache" additivity="false" level = "error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="org.hibernate.transaction" additivity="false" level = "error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="org.hibernate.jdbc" additivity="false" level = "error" > <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- Hibernate: Treecache logger --> <Logger name="org.jgroups.JChannelFactory" additivity="false" level = "error"> <AppenderRef ref="hibernateDefault" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- Metrics logger --> <Logger name="com.beetext.flow2.metrics" additivity="false" level = "INFO"> <AppenderRef ref="metrics" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- External Web Service logger --> <Logger name="com.beetext.flow2.util.RequestUtil$ExternalWebServiceNotificationRunnable" additivity="false" level = "DEBUG"> <AppenderRef ref="externalWebService" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name="com.beetext.flow2.external.ws.externalSystem" additivity="false" level = "DEBUG"> <AppenderRef ref="externalWebService" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- Sessions logger --> <Logger name="com.beetext.flow2.service.usagelog.SessionLogManager" additivity="false" level = "DEBUG"> <AppenderRef ref="sessionLog" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- System Settings logger --> <Logger name="com.beetext.flow2.util.FlowSystemSettingsLog" additivity="false" level = "DEBUG"> <AppenderRef ref="systemSettingsLog" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- Flow API logger --> <Logger name="com.beetext.flow2.external.ws.FlowRequest" additivity="false" level = "ERROR"> <AppenderRef ref="flowApiLog" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- Flow external REST API --> <Logger name="com.beetext.flow2.servlet.restexternal" additivity="false" level = "ERROR"> <AppenderRef ref="flowApiLog" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- C3P0 logger --> <Logger name="com.mchange" additivity="false" level = "INFO"> <AppenderRef ref="c3p0Log" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- Access / Load Time appender --> <Logger name="com.beetext.flow2.metrics.usage.UsageMonitor" additivity="false" level ="INFO"> <AppenderRef ref="loadTimeLogAsync" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- Unit / Integration tests logger --> <Logger name="com.beetext.flow2.test.IntegrationTestSuite" additivity="false" level = "INFO"> <AppenderRef ref="stdout" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <!-- Swagger --> <Logger name="io.swagger" additivity="true" level = "info"> <AppenderRef ref="stdout" /> </Logger> <!-- Reflections --> <Logger name="org.reflections" additivity="true" level = "info"> <AppenderRef ref="stdout" /> </Logger> <Logger name = "com.beetext.flow2.util.FlowMailLog" additivity="true" level="INFO"> <AppenderRef ref ="FlowMailLogAppender" /> <AppenderRef ref="FlowAllLogAppender" /> </Logger> <Logger name = "com.beetext.flow2.servlet.rest.sigma" additivity="true" level="DEBUG"> <AppenderRef ref ="SIGMALogAppender" /> <AppenderRef ref ="SIGMALogAppenderQA" /> </Logger> <Logger name = "com.beetext.flow2.api.java.service.sigma" additivity="true" level="DEBUG"> <AppenderRef ref ="SIGMALogAppender" /> <AppenderRef ref ="SIGMALogAppenderQA" /> </Logger> <Logger name = "com.beetext.flow2.external.client.rest.sigma" additivity="true" level="DEBUG"> <AppenderRef ref ="SIGMALogAppender" /> <AppenderRef ref ="SIGMALogAppenderQA" /> </Logger> <Logger name = "com.beetext.flow2.data.sigma" additivity="true" level="DEBUG"> <AppenderRef ref ="SIGMALogAppender" /> <AppenderRef ref ="SIGMALogAppenderQA" /> </Logger> <!-- Standard out logger --> <Root level = "INFO"> <AppenderRef ref="stdout" /> <AppenderRef ref="FlowLogAppender" /> <AppenderRef ref="FlowAllLogAppender" /> </Root> </Loggers> </Configuration> - Run as administrator the service_remove.bat file at C:\Program Files\Donnelley\MultiTrans Flow 64\.
- Run as administrator the previously edited service_install.bat at C:\Program Files\Donnelley\MultiTrans Flow 64\.
- Start the MultiTrans Flow service.
You can validate that the above steps were successful by monitoring the log file at C:\Program Files\Donnelley\MultiTrans Flow 64\runtime\logs\error.log. The following will appear:
INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=true
This configuration change will be added by default to the January release of MultiTrans 7.0, therefore following that release, MultiTrans will not be susceptible to this exploit. The Java framework in MultiTrans will also be upgraded in the January release for security purposes.
The Log4J library will be updated in a future release of MultiTrans, following a full investigation of the ramifications of this upgrade.
We apologize for any inconvenience this may cause.
The MultiTrans Product Team
Added the bat File names
[edited by: Djamil Bouchentouf at 7:23 AM (GMT 0) on 14 Dec 2021]
