Jump to: navigation, search

Known Issues and Limitations

Details of Workbench 9 Known Issues and Limitations can also be found on the Genesys Customer Care Portal via Release Notes


CVE-2022-22965 vulnerability


  • Workbench 9.x is deemed to be not impacted by the CVE-2022-22965 vulnerability.

Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 2.x CVE-2021-44228 vulnerability

Important
  • The Workbench 9.2.000.20 release (5th Jan 2022) provides the mitigations below already pre-configured


This page relates to the Genesys Advisory detailed here: https://genesyspartner.force.com/customercare/kA91T000000bltb

Please follow the mitigation steps below in addition to the guidance in the Genesys Advisory above.

Workbench 9.x.xxx.xx (i.e. all WB versions) and Anomaly Detection (AD) 9.2.000.00


  • First stop ALL Workbench Services

Workbench IO (Karaf)


Step 1

Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/Karaf/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.4/ pax-logging-log4j2-* org/apache/logging/log4j/core/lookup/JndiLookup.class

Step 2

  • With the Workbench IO Service stopped, locate the file <WORKBENCH_INSTALL_DIRECTORY>\Karaf\etc\org.apache.karaf.features.cfg
  • Edit the file:
  1. Look for the property featuresBoot and uncomment it by removing “#” in the front
  2. In addition, uncomment the following lines associated with this property by removing “#” in the front (about 25-30 lines)
  3. Save the file changes
  • Locate the folder <WORKBENCH_INSTALL_DIRECTORY>\Karaf\data\cache and remove all the folders and files in it (generally of the form “bundle<n>” where n is a sequential number).

Workbench ZooKeeper


Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/build/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class



Workbench Logstash


Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/Logstash/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

Workbench Elasticsearch


Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ElasticSearch/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

Workbench Agent 9.x

Important
  • Perform the Workbench Agent 9.x changes below on ALL Workbench Hosts and ALL Anomaly Detection (AD) Hosts (if AD is installed)

Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class



Workbench Kibana

Not impacted - no changes required.


Workbench Heartbeat

Not impacted - no changes required.


Workbench Metricbeat

Not impacted - no changes required.


Workbench Agent Remote (WAR)

Not impacted - no changes required.



  • Finally once the above changes are completed, start ALL Workbench Services

Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 1.2 CVE-2021-4104 and CVE-2019-17571 vulnerabilities

Important
  • The Workbench 9.2.000.20 release (5th Jan 2022) provides the mitigations below already pre-configured

Workbench 9.2.000.00

Workbench ZooKeeper


Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class

Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class

Workbench 9.1.100.00

Workbench ZooKeeper


Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class

Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class

Workbench Agent


Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class

Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class

Workbench 9.1.000.00 and 9.0.x

Workbench ZooKeeper


Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class
  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class

Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class
  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class

Workbench Agent


Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class

Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:

  • zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class

Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 2.x CVE-2021-45105 vulnerability

Important
  • The Workbench 9.2.000.20 release (5th Jan 2022) provides the mitigations below already pre-configured

Following changes are required to remove the Context Lookup from Workbench IO (Karaf) for Workbench builds prior to 9.2.000.10:

  • Stop the Workbench IO (Karaf) Service(s)
  • In the file <WORKBENCH_INSTALLATION_FOLDER>/Karaf/etc/ org.ops4j.pax.logging.cfg
  • Comment out 17 lines after the line “# Sift – MDC routing” by inserting “#” at the beginning of the line.
  • Change 16MB to 128MB in the line “log4j2.appender.rolling.policies.size.size = 16MB”
  • Start the Workbench IO (Karaf) Service(s)

The effect of the above change is that we no longer have one log file per running bundle but have only one karaf.log that is rolled over as soon as it reached 128 MB in size.

This page was last edited on April 13, 2022, at 13:39.
blog comments powered by Disqus