Contents
- 1 Known Issues and Limitations
- 1.1 CVE-2022-22965 vulnerability
- 1.2 Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 2.x CVE-2021-44228 vulnerability
- 1.3 Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 1.2 CVE-2021-4104 and CVE-2019-17571 vulnerabilities
- 1.4 Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 2.x CVE-2021-45105 vulnerability
Known Issues and Limitations
Details of Workbench 9 Known Issues and Limitations can also be found on the Genesys Customer Care Portal via Release Notes
CVE-2022-22965 vulnerability
- Workbench 9.x is deemed to be not impacted by the CVE-2022-22965 vulnerability.
Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 2.x CVE-2021-44228 vulnerability
- The Workbench 9.2.000.20 release (5th Jan 2022) provides the mitigations below already pre-configured
This page relates to the Genesys Advisory detailed here: https://genesyspartner.force.com/customercare/kA91T000000bltb
Please follow the mitigation steps below in addition to the guidance in the Genesys Advisory above.
Workbench 9.x.xxx.xx (i.e. all WB versions) and Anomaly Detection (AD) 9.2.000.00
- First stop ALL Workbench Services
Workbench IO (Karaf)
Step 1
Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/Karaf/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.4/ pax-logging-log4j2-* org/apache/logging/log4j/core/lookup/JndiLookup.class
Step 2
- With the Workbench IO Service stopped, locate the file <WORKBENCH_INSTALL_DIRECTORY>\Karaf\etc\org.apache.karaf.features.cfg
- Edit the file:
- Look for the property featuresBoot and uncomment it by removing “#” in the front
- In addition, uncomment the following lines associated with this property by removing “#” in the front (about 25-30 lines)
- Save the file changes
- Locate the folder <WORKBENCH_INSTALL_DIRECTORY>\Karaf\data\cache and remove all the folders and files in it (generally of the form “bundle<n>” where n is a sequential number).
Workbench ZooKeeper
Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/build/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Workbench Logstash
Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/Logstash/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Workbench Elasticsearch
Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ElasticSearch/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Workbench Agent 9.x
- Perform the Workbench Agent 9.x changes below on ALL Workbench Hosts and ALL Anomaly Detection (AD) Hosts (if AD is installed)
Remove (i.e. with a shell command or with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Workbench Kibana
Not impacted - no changes required.
Workbench Heartbeat
Not impacted - no changes required.
Workbench Metricbeat
Not impacted - no changes required.
Workbench Agent Remote (WAR)
Not impacted - no changes required.
- Finally once the above changes are completed, start ALL Workbench Services
Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 1.2 CVE-2021-4104 and CVE-2019-17571 vulnerabilities
- The Workbench 9.2.000.20 release (5th Jan 2022) provides the mitigations below already pre-configured
Workbench 9.2.000.00
Workbench ZooKeeper
Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class
Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class
Workbench 9.1.100.00
Workbench ZooKeeper
Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class
Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class
Workbench Agent
Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class
Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class
Workbench 9.1.000.00 and 9.0.x
Workbench ZooKeeper
Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class
Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/contrib/rest/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/ZooKeeper/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class
Workbench Agent
Remove (i.e. with a shell command or with a tool such as 7Zip) the JMSAppender class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-1.2* org/apache/log4j/net/JMSAppender.class
Remove (i.e. with a shell command or with a tool such as 7Zip) the SocketServer class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/lib/log4j-1.2* org/apache/log4j/net/SocketServer.class
Workbench 9.0.x to 9.2.000.00 mitigations for the log4j 2.x CVE-2021-45105 vulnerability
- The Workbench 9.2.000.20 release (5th Jan 2022) provides the mitigations below already pre-configured
Following changes are required to remove the Context Lookup from Workbench IO (Karaf) for Workbench builds prior to 9.2.000.10:
- Stop the Workbench IO (Karaf) Service(s)
- In the file <WORKBENCH_INSTALLATION_FOLDER>/Karaf/etc/ org.ops4j.pax.logging.cfg
- Comment out 17 lines after the line “# Sift – MDC routing” by inserting “#” at the beginning of the line.
- Change 16MB to 128MB in the line “log4j2.appender.rolling.policies.size.size = 16MB”
- Start the Workbench IO (Karaf) Service(s)
The effect of the above change is that we no longer have one log file per running bundle but have only one karaf.log that is rolled over as soon as it reached 128 MB in size.