2

Log4J Remedies

As described in the previous blog on this subject, All versions of Pyramid do not contain the Log4J component with the critical vulnerability. However, there are some JDBC drivers that do have the issue.

The following explains how we have mitigated the problems based on the latest component versions from the relevant vendors.

Pyramid

2020.20 / 2020.21

In 2020.22, Pyramid has replaced the old Log4J with version 2.17.0 - the most up-to-date, and issue free version available. The 5 affected JDBC drivers with Log4J problems are mitigated as follows:

  • Apache Hive: takes the Log4J library used in the main application (so its 2.17.0)
  • Apache Drill: takes the Log4J library used in the main application (so its 2.17.0)
  • Neo4J: takes the Log4J library used in the main application (so its 2.17.0)
  • Apache/Cloudera Impala: Pyramid has removed the offending code from the JDBC JAR file. This is included in the upgrade installation.
  • Apache Spark: Pyramid has removed the offending code from the JDBC JAR file. This is included in the upgrade installation.

Bottom Line: Upgrade 2020.20 and 2020.21 to 2020.22.

2020.18

For those customers that are still operating 2020.18, the Log4J is an older version (1.x) that does not have the critical vulnerability. The 3 affected JDBC drivers with Log4J problems are mitigated as follows:

  • Apache Hive: takes the Log4J library used in the main application (so its 1.x)
  • Apache Drill: takes the Log4J library used in the main application (so its 1.x)
  • Apache/Cloudera Impala: Pyramid has removed the offending code from the JDBC JAR file. Admins need to manually switch out the problematic JDBC JAR files. Instructions are provided below.

Log4J 1.x has other issues (although not graded critical). The latest Log4J version addresses these older problems. 

Bottom Line: Change the Impala JDBC drivers in 2020.18. Alternatively, upgrade the entire version to 2020.22.

Replacing The Impala JDBC JAR files

  • Log into to each machine hosting Pyramid.
  • Stop all services
    • For Windows: use the Services Manager
    • For Linux: in a terminal run:
      • sudo systemctl stop {service name}
      • Service names to shut down (in this order) are: pyramidAgent, pyramidFs, pyramidRTE, pyramidTE, pyramidAI, pyramidWeb, pyramidRTR
  • Go to the installation folder, find the "LIB" sub directory and replace the Impala JAR file with the version found here. (Unzip it first).
  • Restart all services
    • For Linux:
    • sudo systemctl start {service name}

2020.17 or older

For those customers that are still operating 2020.17 or older, the Log4J is an older version (1.x) that does not have the critical vulnerability. The 3 affected JDBC drivers (in 2020.17) with Log4J problems are mitigated as follows:

  • Apache Hive: takes the Log4J library used in the main application  (so its 1.x)
  • Apache Drill: takes the Log4J library used in the main application  (so its 1.x)
  • Apache/Cloudera Impala: the included Log4J library is old and does not have the vulnerability.

Log4J 1.x has other issues (although not graded critical). The latest Log4J version addresses these older problems. 

Bottom Line: Do nothing or upgrade the entire version to 2020.22.

Kubernetes

Due to the complexity of manually tweaking Kubernetes containers, the right remedy for Kubernetes deployments is to upgrade the deployment to version 2020.22.

Pulse

Pulse, like the main Pyramid application, contains the same issues as described above. The remedies are identical:

  • 2020.20/21 - upgrade to 2020.22, to get the latest Log4J and JDBC driver fixes
  • 2020.18 - the main Log4J does not have the vulnerability. So manually switch out the Impala driver (link provided above). Alternatively upgrade.
  • 2020.17 and earlier versions - do nothing or upgrade.

If you  would like any other guidance, please contact support.

2 replies

null
    • Kim_Jamia
    • 2 yrs ago
    • Reported - view

    Log4J 2.17.0 is affected by CVE-2021-44832 which also enables remote code execution but requires the attacker to be able to modify a configuration file so it's not as serious as the previous vulnerability. Nonetheless, Log4J should be updated to 2.17.1.

    • "making the sophisticated simple"
    • AviPerez
    • 2 yrs ago
    • Reported - view

    The updates for Log4J are coming out almost daily. The current RCE issue is not critical. 

    Pyramid will issue updates for these problems as part of the normal service pack cycle unless the vulnerabilities are considered critical (score over 9).