Product: Tomcat Application Server
Version: All version
URL: https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
Apache log4j has a new CVE-2021-44228 vulnerability announced yesterday, which allow remove code executing using LDAP messaging lookup.
BleepingComputer.com shown that existing Apache Log4j can use Java startup parameter "-Dlog4j2.formatMsgNoLookups=true" so this post is to show how to configure Windows Service to configure Tomcat Application Server service to startup with this additional Java startup parmaeter
Procedure
1. Run "cmd" to launch Command Prompt
2. For each of the Tomcat in the machine, cd to its bin directory, e.g.
cd "D:\SAP\SAP BusinessObjects\tomcat\bin"
3. Type "services.msc" and look for the Tomcat service name from "Services" screen. You need to know its instance name to modify it later
5. Open up Tomcat Windows Service editor screen to modify this Windows Service configuration
tomcat9w //ES/BOEXI40Tomcat
6. You will see following editor screen. If you don't, go back Step 3 to ensure you are specifying the correct Tomcat instance name
7. Click on tab "Java" and you should see a text box labeled "Java Options"
8. Scroll to the bottom and add -Dlog4j2.formatMsgNoLookups=true
9. Click on OK button to save and close it
10. Restart Tomcat application server
10.1. Stop Tomcat: D:\SAP\SAP BusinessObjects\tomcat\bin>runas /user:administrator "net stop BOEXI40Tomcat"
Enter the password for administrator:
Attempting to start net stop BOEXI40Tomcat as user "win2019-tester1\administrator" ...
10.2. Start Tomcat: D:\SAP\SAP BusinessObjects\tomcat\bin>runas /user:administrator "net start BOEXI40Tomcat"
Enter the password for administrator:
Attempting to start net start BOEXI40Tomcat as user "win2019-tester1\administrator" ...
11. Verify the Java parameter is there by checking existing running tomcat9.exe. For this execution, the process ID (PID) is 10312 (Task Manager)
D:\SAP\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin>runas /user:administrator "jinfo 10312"
Attaching to process ID 10312, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 8.1.061 10.0.2+000
Java System Properties:
java.vendor = SAP AG
org.apache.xml.security.ignoreLineBreaks = true
catalina.base = D:\SAP\SAP BusinessObjects\tomcat
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
catalina.useNaming = true
........
...cut...
........
VM Flags:
Non-default VM flags: -XX:CICompilerCount=2 -XX:CoreDumpType=null -XX:+EnableDebuggingOnDemand -XX:+HeapDumpOnOutOfMemoryError -XX:InitialHeapSize=268435456 -XX:MaxHeapSize=1073741824 -XX:MaxMetaspaceSize=402653184 -XX:MaxNewSize=357564416 -XX:MaxVMs=1 -XX:MinHeapDeltaBytes=524288 -XX:NewSize=89128960 -XX:NonNMethodCodeHeapSize=5828300 -XX:NonProfiledCodeHeapSize=131303578 -XX:OldSize=179306496 -XX:+PrintGCDetails -XX:-PrintGCID -XX:+PrintOldStyleGC -XX:+PrintOldStyleGCDetails -XX:ProfiledCodeHeapSize=131303578 -XX:+ReduceSignalUsage -XX:+SegmentedCodeCache -XX:ThreadStackSize=1024 -XX:-UseAOT -XX:+UseCompressedClassPointers -XX:+UseCompressedOops -XX:-UseLargePagesIndividualAllocation -XX:+UseParallelOldGC -XX:-UseSharedSessionStore
Command line: -Dcatalina.home=D:\SAP\SAP BusinessObjects\tomcat -Dcatalina.base=D:\SAP\SAP BusinessObjects\tomcat -Xrs -XX:MaxMetaspaceSize=384M -Djava.awt.headless=true -XX:+HeapDumpOnOutOfMemoryError -Xloggc:D:\SAP\SAP BusinessObjects\tomcat\logs\tomcat.gc.log -XX:+PrintGCDetails -XX:+UseParallelOldGC -Xloggc:d:\SAP\SAP BusinessObjects\tomcat\logs\tomcat.gc.log -Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true exit abort -Xms256m -Xmx1024m -Xss1024k
12. Done. The new setting is activated. Test with vulnerability scanner to confirm, as well as fully tested the application functionality before deploy to PROD env
No comments:
Post a Comment