CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104: Vityl IT & Business Monitoring v6.6 Log4j Mitigation Steps

On December 10, NIST published CVE-2021-44228in response to the open-source Apache "Log4j" utility. Then on December 14, NIST  published CVE-2021-45046 and CVE-2021-4104and CVE-2021-45105 on December 17. Fortra is actively monitoring this issue, investigating the potential impact on our products, and assembling the appropriate mitigations. 

While the Log4j zero-day vulnerability does not appear to affect all Java versions, our Development Team has issued a mitigation for Vityl IT & Business Monitoring. As a customer of this product, we request you to please follow the steps indicated below.

Due to the severity of this issue, Fortra highly recommends applying this mitigation. 

NoteThe mitigation steps only apply to Vityl IT and Business Monitoring v6.6 (this is the current last version).

Download

Vityl_log4j2.17_CVE-2021-44228_CVE-2021-45046_CVE-2021-45105_Patch.zip

SHA512 of Vityl_log4j2.17_CVE-2021-44228_CVE-2021-45046_CVE-2021-45105_Patch.zip c5ae83a4c28cfc473441bd954626a454a83963f3377cd32d50447ea359b272128e09e48a71768b48f496f3f374aafc23f193a866b1ff4a8211528fb9d0111621

You can verify it with command: certUtil -hashfile Vityl_log4j2.17_CVE-2021-44228_CVE-2021-45046_CVE-2021-45105_Patch.zip SHA512

Mitigation steps for Vityl IT and Business Monitoring v6.6:

1. Stop the following Windows services:

  • Fortra - Orchestrator IDX
  • Fortra - ThinkServer Java System i Server
  • Fortra - ThinkServer JMXServer JSR
  • Fortra - ThinkServer JMXServer WAS

2. Locate IDXServiceWrapperConfig.xml file in the \Orchestrator\Orchestrator Engine\Idx folder, which is located in the installation folder. Typically, the installation folder is Help Systems.

Example: C:\Program Files (x86)\Help Systems\Orchestrator\Orchestrator Engine\Idx

2.1 Edit IDXServiceWrapperConfig.xml and:

  • replace "log4j-core-2.14.1.jar" and/or "log4j-core-2.15.0.jar" by "log4j-core-2.17.0.jar" (included in the Vityl_log4j2.17_CVE-2021-44228_CVE-2021-45046_CVE-2021-45105_Patch.zip)
  • replace "log4j-api-2.14.1.jar" and/or "log4j-api-2.15.0.jar" by "log4j-api-2.17.0.jar"  (included in the Vityl_log4j2.17_CVE-2021-44228_CVE-2021-45046_CVE-2021-45105_Patch.zip)

2.2 Locate \Orchestrator\Orchestrator Engine\Idx\lib and: 

  • Delete files log4j-core-2.14.1.jar, log4j-api-2.14.1.jar, log4j-core-2.15.0.jar nd log4j-api-2.15.0.jar
  • Copy the following files from Vityl_log4j2.17_CVE-2021-44228_CVE-2021-45046_CVE-2021-45105_Patch.zip:
    • log4j-core-2.17.0.jar
    • log4j-api-2.17.0.jar
    • LICENSElog4j-2.17.0.txt

3. Locate JiSSServiceWrapperConfig.xml file in the \ThinkServer\Java System i Server\conf folder, which is located in the installation folder. Typically, the installation folder is Help Systems.

Example: C:\Program Files (x86)\Help Systems\ThinkServer\Java System i Server\conf

3.1 Edit JiSSServiceWrapperConfig.xml and:

  • replace "log4j-core-2.14.1.jar" and/or "log4j-core-2.15.0.jar" by "log4j-core-2.17.0.jar" 
  • replace "log4j-api-2.14.1.jar" and/or "log4j-api-2.15.0.jar" by "log4j-api-2.17.0.jar"

3.2 Locate \ThinkServer\Java System i Server\lib and:

  • Delete files log4j-core-2.14.1.jar, log4j-api-2.14.1.jar, log4j-core-2.15.0.jar and log4j-api-2.15.0.jar
  • Copy the following files from Vityl_log4j2.17_CVE-2021-44228_CVE-2021-45046_CVE-2021-45105_Patch.zip:
    • log4j-core-2.17.0.jar
    • log4j-api-2.17.0.jar
    • LICENSElog4j-2.17.0.txt

4. Locate wrapperJSR.xml & wrapperWAS.xml files in the \ThinkServer\JMXServer\conf folder, which is located in the installation folder. Typically, the installation folder is Help Systems.

Example: C:\Program Files (x86)\Help Systems\ThinkServer\JMXServer\conf

4.1 Edit both files (wrapperJSR.xml & wrapperWAS.xml) and:

  • replace text "log4j-core-2.14.1.jar" and/or "log4j-core-2.15.0.jar" by "log4j-core-2.17.0.jar"
  • replace text "log4j-api-2.14.1.jar" and/or "log4j-api-2.15.0.jar" by "log4j-api-2.17.0.jar"

4.2 Locate \ThinkServer\JMXServer\lib and:

  • Delete files log4j-core-2.14.1.jar, log4j-api-2.14.1.jar, log4j-core-2.15.0.jar and log4j-api-2.15.0.jar
  • Copy the following files from Vityl_log4j2.17_CVE-2021-44228_CVE-2021-45046_CVE-2021-45105_Patch.zip:
    • log4j-core-2.17.0.jar
    • log4j-api-2.17.0.jar
    • LICENSElog4j-2.17.0.txt

5. Start the following Windows services:

  • Fortra - Orchestrator IDX
  • Fortra - ThinkServer Java System i Server
  • Fortra - ThinkServer JMXServer JSR
  • Fortra - ThinkServer JMXServer WAS
Still have questions? We can help. Submit a case to technical support

Last Modified On:
You don't have the appropriate permissions.
No, open a new Support Case
+1 800-328-1000
[email protected]
Infrastructure Protection & Data Security
Managed Security Services
Automation
IBM i

Copyright © 2023 Fortra