Important notice re. Apache Log4j Vulnerability

Dear clients,

A critical vulnerability was discovered in Log4j, a widely used Apache logging framework. This library is used in applications worldwide, including MultiTrans, which is vulnerable to exploitation of this Apache bug.

We encourage all customers to mitigate the risk immediately as follows.

RWS hosted customers: RWS is handling the mitigation directly. You may be notified if a restart of your server is required.
On-premise (self-hosted) customers: Please take the following steps as soon as possible.

Steps to mitigate this vulnerability:

Stop the MultiTrans Flow service.
Add the parameter -Dlog4j2.formatMsgNoLookups=true to –JvmOptions in C:\Program Files\Donnelley\MultiTrans Flow 64\service_install.bat.

Copy the attached xml file to C:\Program Files\Donnelley\MultiTrans Flow 64\JBoss - EWS\share\apache-tomcat-X.X.XX\webapps\ROOT\WEB-INF\classes, where X.X.XX is the precise Apache Tomcat version number you have installed.

Fullscreen log4j2.xml Download

<?xml version="1.0" encoding="UTF-8" ?>
<Configuration status="WARN" monitorInterval="30">

	<Appenders>
	
		<Async name="loadTimeLogAsync">
			<AppenderRef  ref="loadTimeLog" />
		</Async>
	
		<!-- FlowLogAppender -->
		<RollingFile  name="FlowLogAppender" fileName = "logs/flow_log.log" filePattern="logs/flow_log-%d{yyyy-MM-dd_HHmm}.log.gz" >
			<PatternLayout>
				<pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern>	
			</PatternLayout>		
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>				
		</RollingFile >
		
		<!-- FlowAllLogAppender -->		
		<RollingFile  name="FlowAllLogAppender" fileName = "logs/flow_all_log.log" filePattern="logs/flow_all_log-%d{yyyy-MM-dd_HHmm}.log.gz" >
			<PatternLayout>
				<pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern>	
			</PatternLayout>		
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>				
		</RollingFile >
		

		<!-- Standard out appender -->
		<Console name="stdout" target="SYSTEM_OUT">
		    <PatternLayout>
		     	<Pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</Pattern>
		    </PatternLayout>		  
    	</Console>    		
		
		<!-- Hibernate appender -->
		<RollingFile name="hibernateDefault" fileName = "logs/Hibernate.log" filePattern="logs/Hibernate-%d{yyyy-MM-dd_HHmm}.log.gz" >			
			<PatternLayout>
		          		<Pattern>%d{ABSOLUTE} %5p %F:%L - %m{nolookup}%n</Pattern>
		    </PatternLayout>		  
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>	
		</RollingFile>
		
		<!-- Metrics appender -->
		<RollingFile name="metrics" fileName = "logs/Metrics.log" filePattern="logs/Metrics-%d{yyyy-MM-dd_HHmm}.log.gz" append = "true">
		
			<PatternLayout>
				<Pattern>%d{yyyy/MM/dd HH:mm:ss.SSS},%m{nolookup}%n</Pattern>
			</PatternLayout>
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>			
		</RollingFile>
		
		<!-- External Web Service appender -->
		<RollingFile name="externalWebService" fileName = "logs/ExternalWebService.log" filePattern="logs/ExternalWebService-%d{yyyy-MM-dd_HHmm}.log.gz" >			

			<PatternLayout>
				<Pattern>%d{ABSOLUTE} %5p %F:%L - %m{nolookup}%n</Pattern>
			</PatternLayout>
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>			
		</RollingFile>
				
		<!-- Sessions appender -->
		<RollingFile name="sessionLog" fileName = "logs/SessionLog.log" filePattern="logs/SessionLog-%d{yyyy-MM-dd_HHmm}.log.gz" >
		
			<PatternLayout>
				<Pattern>%m{nolookup}%n</Pattern>
			</PatternLayout>
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>			
		</RollingFile>
		
		<!-- System Settings appender -->
		<RollingFile name="systemSettingsLog" fileName = "logs/SystemSettingsLog.log" filePattern="logs/SystemSettingsLog-%d{yyyy-MM-dd_HHmm}.log.gz" >		
			<PatternLayout>
				<Pattern>"%d{yyyy/MM/dd HH:mm:ss} - %m{nolookup}%n</Pattern>
			</PatternLayout>
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>			
		</RollingFile>
		
		<!-- Flow API appender -->
		<RollingFile name="flowApiLog" fileName = "logs/FlowAPI.log" filePattern="logs/FlowAPI-%d{yyyy-MM-dd_HHmm}.log.gz" >
		
			<PatternLayout>
				<Pattern>%d{yyyy/MM/dd HH:mm:ss} : %m{nolookup}%n</Pattern>
			</PatternLayout>
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>			
		</RollingFile>
		
		<!-- C3P0 appender -->
		<RollingFile name="c3p0Log" fileName = "logs/c3p0.log" filePattern="logs/c3p0-%d{yyyy-MM-dd_HHmm}.log.gz" >
				
			<PatternLayout>
				<Pattern>%d{yyyy/MM/dd HH:mm:ss} : %m{nolookup}%n</Pattern>
			</PatternLayout>
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>			
		</RollingFile>
		
		<!-- Access / Load Time appender -->
		<RollingFile name="loadTimeLog" fileName = "logs/UsageLog.log" filePattern="logs/UsageLog-%d{yyyy-MM-dd_HHmm}.log.gz" >
		
			<PatternLayout>
				<Pattern>%d{yyyy/MM/dd HH:mm:ss} : %m{nolookup}%n</Pattern>
			</PatternLayout>
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>			
		</RollingFile>

        <!-- FlowLogAppender -->
		<RollingFile  name="FlowMailLogAppender" fileName = "maillog/flow_mail_log.log" filePattern="logs/flow_mail_log-%d{yyyy-MM-dd_HHmm}.log.gz" >
			<PatternLayout>
				<pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern>	
			</PatternLayout>		
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>				
		</RollingFile >
		 <!-- SIGMALogAppender  -->
		<RollingFile  name="SIGMALogAppender" fileName = "logs/sigma.log" filePattern="logs/sigma-%d{yyyy-MM-dd_HHmm}.log.gz" >
			<PatternLayout>
				<pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern>	
			</PatternLayout>		
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>				
		</RollingFile >			

		 <!-- SIGMALogAppender for QA  -->
		<RollingFile  name="SIGMALogAppenderQA" fileName = "C:\inetpub\wwwroot\sigma.htm" filePattern="logs/sigma-%d{yyyy-MM-dd_HHmm}.log.gz" >
			<PatternLayout>
				<pattern>%d{ABSOLUTE} [%5p] [%5tid] (%F:%L) - %m{nolookup}%n</pattern>	
			</PatternLayout>		
			<Policies>
				<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
			</Policies>				
		</RollingFile >				
						

	</Appenders>

	<Loggers>
		<!-- Hibernate loggers -->
		<Logger name="org.hibernate" additivity="false" level ="error">			
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="org.hibernate.hql.ast.AST" additivity="false" level ="error">
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="org.hibernate.SQL" additivity="false" level = "error">
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="org.hibernate.type" additivity="false" level = "error">
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="org.hibernate.tool.hbm2ddl" additivity="false" level = "error">
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="org.hibernate.hql" additivity="false" level = "error">
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="org.hibernate.cache" additivity="false" level = "error">
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="org.hibernate.transaction" additivity="false" level = "error">
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="org.hibernate.jdbc" additivity="false" level = "error" >
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- Hibernate: Treecache logger -->
		<Logger name="org.jgroups.JChannelFactory" additivity="false" level = "error">
			<AppenderRef  ref="hibernateDefault" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- Metrics logger -->
		<Logger name="com.beetext.flow2.metrics" additivity="false" level = "INFO">
			<AppenderRef  ref="metrics" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- External Web Service logger --> 
		<Logger name="com.beetext.flow2.util.RequestUtil$ExternalWebServiceNotificationRunnable" additivity="false" level = "DEBUG"> 			
			<AppenderRef  ref="externalWebService" /> 
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<Logger name="com.beetext.flow2.external.ws.externalSystem"	additivity="false" level = "DEBUG">
			<AppenderRef  ref="externalWebService" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- Sessions logger -->
		<Logger
			name="com.beetext.flow2.service.usagelog.SessionLogManager" additivity="false" level = "DEBUG">
			<AppenderRef  ref="sessionLog" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- System Settings logger -->
		<Logger name="com.beetext.flow2.util.FlowSystemSettingsLog" additivity="false" level = "DEBUG">
			<AppenderRef  ref="systemSettingsLog" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- Flow API logger -->
		<Logger name="com.beetext.flow2.external.ws.FlowRequest" additivity="false" level = "ERROR">
			<AppenderRef  ref="flowApiLog" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- Flow external REST API -->
		<Logger name="com.beetext.flow2.servlet.restexternal" additivity="false" level = "ERROR">
			<AppenderRef  ref="flowApiLog" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- C3P0 logger -->
		<Logger name="com.mchange" additivity="false" level = "INFO">
			<AppenderRef  ref="c3p0Log" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- Access / Load Time appender -->
		<Logger name="com.beetext.flow2.metrics.usage.UsageMonitor" additivity="false" level ="INFO">
			<AppenderRef  ref="loadTimeLogAsync" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!-- Unit / Integration tests logger -->
		<Logger name="com.beetext.flow2.test.IntegrationTestSuite" additivity="false" level = "INFO">
			<AppenderRef  ref="stdout" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Logger>
		
		<!--  Swagger -->
		<Logger name="io.swagger" additivity="true" level = "info">
			<AppenderRef  ref="stdout" />
		</Logger>
		
		<!-- Reflections -->
		<Logger name="org.reflections" additivity="true" level = "info">
			<AppenderRef  ref="stdout" />
		</Logger>			

    	<Logger name = "com.beetext.flow2.util.FlowMailLog" additivity="true" level="INFO">
        		<AppenderRef ref ="FlowMailLogAppender" />
        		<AppenderRef  ref="FlowAllLogAppender" />
    	</Logger>
    	<Logger name = "com.beetext.flow2.servlet.rest.sigma" additivity="true" level="DEBUG">
        		<AppenderRef ref ="SIGMALogAppender" />
				<AppenderRef ref ="SIGMALogAppenderQA" />
    	</Logger>
    	<Logger name = "com.beetext.flow2.api.java.service.sigma" additivity="true" level="DEBUG">
        		<AppenderRef ref ="SIGMALogAppender" />
				<AppenderRef ref ="SIGMALogAppenderQA" />

    	</Logger>
    	<Logger name = "com.beetext.flow2.external.client.rest.sigma" additivity="true" level="DEBUG">
        		<AppenderRef ref ="SIGMALogAppender" />
				<AppenderRef ref ="SIGMALogAppenderQA" />
    	</Logger>
    	
    	<Logger name = "com.beetext.flow2.data.sigma" additivity="true" level="DEBUG">
        		<AppenderRef ref ="SIGMALogAppender" />
				<AppenderRef ref ="SIGMALogAppenderQA" />
    	</Logger>

		<!-- Standard out logger -->
		<Root level = "INFO">
			<AppenderRef  ref="stdout" />
			<AppenderRef  ref="FlowLogAppender" />
			<AppenderRef  ref="FlowAllLogAppender" />
		</Root>
	</Loggers>
</Configuration>

Run as administrator the service_remove.bat file at C:\Program Files\Donnelley\MultiTrans Flow 64\.
Run as administrator the previously edited service_install.bat at C:\Program Files\Donnelley\MultiTrans Flow 64\.
Start the MultiTrans Flow service.

You can validate that the above steps were successful by monitoring the log file at C:\Program Files\Donnelley\MultiTrans Flow 64\runtime\logs\error.log. The following will appear:

INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=true

This configuration change will be added by default to the January release of MultiTrans 7.0, therefore following that release, MultiTrans will not be susceptible to this exploit. The Java framework in MultiTrans will also be upgraded in the January release for security purposes.

The Log4J library will be updated in a future release of MultiTrans, following a full investigation of the ramifications of this upgrade.

We apologize for any inconvenience this may cause.

The MultiTrans Product Team

Added the bat File names
[edited by: Djamil Bouchentouf at 7:23 AM (GMT 0) on 14 Dec 2021]

Translate

Parents

Donatella Pulitano over 2 years ago

Hi Shirley, thank you for this information. So this only affects Flow - we don't need to do anything if we have MultiTrans without Flow, do you confirm?

Thank you and happy holidays,

Donatella
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Share
Documentation Survey: help us offer you better documentation! Translate
Djamil Bouchentouf over 2 years ago in reply to Donatella Pulitano

Hi Donatella,

Yes, MultiTrans without Flow is not affected by this issue.

Happy Holidays!!

Regards,
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Share
Documentation Survey: help us offer you better documentation! Translate

Reply

Djamil Bouchentouf over 2 years ago in reply to Donatella Pulitano

Hi Donatella,

Yes, MultiTrans without Flow is not affected by this issue.

Happy Holidays!!

Regards,
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Share
Documentation Survey: help us offer you better documentation! Translate

Children

Shirley Coady over 2 years ago in reply to Djamil Bouchentouf

Happy Holidays Donatella!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Share
Documentation Survey: help us offer you better documentation! Translate

MultiTrans > 1. General questions/discussions

Important notice re. Apache Log4j Vulnerability