WaveMaker Docs

WaveMaker Docs

  • Get started
  • Widgets
  • How-to
  • Enterprise
  • Releases
  • Blog
  • Sign-in

›All Blog Posts

All Blog Posts

  • Mitigating Spring Zero-day Vulnerability CVE-2022-22965
  • Archiving WaveMaker 9 Projects
  • URL Change in WaveMaker Android WebView
  • Announcement about Angular 11 Update
  • Mitigating Log4J 2 Vulnerability CVE 2021 44228
  • Ending Support of WaveMaker 9 Projects
  • Git Branching Strategy
  • Important Announcement about Angular 10 Update
  • Accessibility Support in WaveMaker
  • Generating .aab files using wm-cordova-cli or AppChef
  • WaveMaker Studio enables faster database imports
  • Integrate SAP HANA Database with WaveMaker
  • Redshift Database Integration
  • Important Announcement about Changes to Documentation Domain
  • WaveMaker Releases 10.7 Version
  • Theme Builder with some coding (Build + Edit)
  • Understanding Scaling of WaveMaker Applications
  • Automatically Import your Website Branding Styles into a Theme
  • Certificate Pinning Case Study
  • Cordova 10.0.0 Upgrade
  • WaveMaker Releases 10.6 Version
  • Retain UI State in WaveMaker Apps
  • Theme builder is ready with a new update
  • PostgREST OpenAPI support in WaveMaker
  • Fully automated and scalable test execution using k8s
  • New file picker for mobile apps - Improvements in UI to select files in mobile
  • WaveMaker releases 10.5 version
  • Deliver faster applications with WaveMaker!
  • GraphQL in a Micro Services Architecture
  • Build Themes for WaveMaker Apps Without Any Coding
  • COVID-19 Visualization using WaveMaker - Part 2
  • COVID-19 Visualization using WaveMaker - Part 1
  • WaveMaker Integrates with DigitalOcean Kubernetes for App Deployments
  • Deployment Experience made better!
  • OpenAPI support in WaveMaker
  • WaveMaker platform is updated to use WKWebView.
  • Deliver WaveMaker Apps as Micro Frontend Modules
  • All-new WaveMaker docs with a powerful Search
  • Welcome to the WaveMaker Developers Blog

Mitigating Log4J 2 Vulnerability CVE 2021 44228

December 13, 2021

Uday Shankar


important

WMO (WaveMaker Online) Users

Updated on 24-Jan-2022

WaveMaker has released 10.11.1 on 24 Jan 2021, updating Log4j2 dependency, which mitigates against the vulnerability CVE-2021-44832. For more information about the release, see WaveMaker 10.11.1.

  • Log4j2 upgraded to 2.17.1

Updated on 23-Dec-2021

WMO (WaveMaker Online) has released 10.10.3 on 23 Dec 2021, updating Log4j2 dependency, which mitigates against the vulnerability CVE-2021-45105. For more information about the release, see WaveMaker 10.10.3.

  • Log4j2 upgraded to 2.17.0

Updated on 16-Dec-2021

WMO (WaveMaker Online) has released 10.10.2 on 16 Dec 2021, updating Spring and Log4j2 dependencies, which mitigates against vulnerabilities CVE-2021-44228 and CVE-2021-22096. For more information about the release, see WaveMaker 10.10.2.

  • Log4j2 upgraded to 2.16.0
  • Spring Framework upgraded to 5.3.13

Action items

  1. If you are a WaveMaker Online (WMO) user and have already mitigated risk by adding Log4j2 dependencies to 2.15.0 or 2.16.0 or 2.17.0, you need to undo those changes from the <dependencies> section in pom.xml.

  2. Also, there is no need to add the System property or Environment variable in the deployment section if you redeploy with the latest project build.

caution

WME (WaveMaker Enterprise) Users

WaveMaker Enterprise users should continue to follow the risk mitigation provided in this blog.

A zero-day vulnerability is an unintentional software security flaw identified in the application, poses a zero-day threat.

A new zero-day vulnerability was reported in the Log4j2 library on 9th Dec 2021, affecting the library versions >=2.0-beta9 and <=2.14. It has the potential to allow an attacker to execute the code remotely. Log4j has provided the fix by releasing the 2.15.0 version on the same day. Plus, Log4j has released a newer 2.17.0 version, which is available for production now. For more information, see LOG4J changes report.

Is WaveMaker Application Affected?

WaveMaker applications that depend on Log4j2 2.14.1 (WM 10.10.1) or lower versions are at risk of the zero-day vulnerability.

Risk Mitigation

There are two ways to mitigate the risk before the planned hotfix release.

Maven: Upgrade the Log4j2 Version Manually

Add the latest version of Log4j2 2.17.0 dependencies in the <dependencies> section, and NOT under the <dependencyManagement> section in your project's pom.xml file.

note

Since this mitigation needs a change in the project, the application must be rebuilt and redeployed.

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.17.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-slf4j-impl</artifactId>
    <version>2.17.0</version>
</dependency>

System Properties: Disable Lookups in Log4j2

Set either the System Property log4j2.formatMsgNoLookups or Environment Variable LOG4J_FORMAT_MSG_NO_LOOKUPS to True. This mitigation does not need rebuilding of the war file. Tomcat or any web application server where the WaveMaker application is running needs to be set to one of the above-mentioned properties and restarted.

note

This mitigation is required in the runtime environment; therefore, there is no need to rebuild the application. Restarting the Tomcat or Web server would be enough.

Examples for Apache Tomcat

Follow the below-specified changes to set the System property and System environment variable.

Unix and Mac Systems

Add the below in the setenv.sh file of the Tomcat bin folder.

  1. The following adds a System property.
export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true” 
  1. The following add an Environment variable.
export LOG4J_FORMAT_MSG_NO_LOOKUPS=true 

Windows System

Add the below in the setenv.bat file of the Tomcat bin folder.

  1. The following adds a System property.
set JAVA_OPTS="%JAVA_OPTS% -Dlog4j2.formatMsgNoLookups=true”
  1. The following adds an Environment variable.
set LOG4J_FORMAT_MSG_NO_LOOKUPS=true 

WaveMaker Log4j2 Vulnerability Releases

WaveMaker v10.10.3
WaveMaker v10.10.2

Tweet
Recent Posts
  • Is WaveMaker Application Affected?
  • Maven: Upgrade the Log4j2 Version Manually
  • System Properties: Disable Lookups in Log4j2
    • Unix and Mac Systems
    • Windows System
  • WaveMaker Log4j2 Vulnerability Releases
WaveMaker
  • PRICING
  • PARTNERS
  • CUSTOMERS
  • ABOUT US
  • CONTACT US
Terms of Use | Copyright © 2013-2022 WaveMaker, Inc. All rights reserved.