Welcome to the new Parasoft forums! We hope you will enjoy the site and try out some of the new features, like sharing an idea you may have for one of our products or following a category.
[Updated] Regarding log4j CVE-2021-44228 with DTP and Standalone License Server
Options
sang_parasoft
Posts: 26 admin
NIST recently released several Apache's log4j Zero-Day vulnerability cases, a very popular Java library to log messages in Java Applications.
CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
- Parasoft products released this year (2021) include log4j 2.14.0 library. Parasoft confirms that these releases include vulnerability.
CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046)
- It has been confirmed that Parasoft products are not vulnerable as long as the default configuration provided with each release is in place
CVE-2021-45105 (https://nvd.nist.gov/vuln/detail/CVE-2021-45105)
- It has been confirmed that Parasoft products are not vulnerable as long as the default configuration provided with each release is in place
DTP and Standalone License Server versions impacted:
- 2021.1
- 2021.2
Any older releases include log4j 1.x which are **not **impacted by this vulnerability.
Updated Release for DTP and Standalone License Server
Updated DTP and Standalone License Server are now
(as of December 20, 2021) available on the Customer Portal Download page. Both include log4j 2.16.0 to address CVE-2021-44228.
- 2021.1.2
- 2021.2.3
Workaround Solution for DTP and Standalone License Server
DTP 2021.2, 2021.1 - Windows
- Edit
<DTP_INSTALL_DIR>\bin\variables text file - Add the following parameter -Dlog4j2.formatMsgNoLookups=true to both lines:
DTP_JAVA_OPTS=-Xms1024m -Xmx4096m -XX:+HeapDumpOnOutOfMemoryError -Dlog4j2.formatMsgNoLookups=true -Djava.util.Arrays.useLegacyMergeSort=true -Dscontrol.ext.dir="!DTP_HOME!\plugins\scontrol" -DuseExternalLock=false -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 DC_JAVA_OPTS=-Xms1024m -Xmx4096m -XX:+HeapDumpOnOutOfMemoryError -Dlog4j2.formatMsgNoLookups=true -Djava.util.Arrays.useLegacyMergeSort=true -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -DuseExternalLock=false -Dcom.parasoft.sdm.dc.build.details.to.keep=2
- Restart DTP server and Data Collector services
DTP 2021.2, 2021.1 - Linux
- Edit
<DTP_INSTALL_DIR>/bin/variables text file - Add the following parameter -Dlog4j2.formatMsgNoLookups=true to the line:
ENCODING_VARS=" -Dlog4j2.formatMsgNoLookups=true -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 "
- Restart DTP server and Data Collector services
Standalone License Server- Windows
- Edit
<LS_INSTALL_DIR>\app\setVars.bat text file - Add the following parameter -Dlog4j2.formatMsgNoLookups=true to the line below
set JAVA_OPTS=-Dsun.jnu.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 -Ddtp.datadir="%LSS_DATADIR%"
- Restart License Server
Standalone License Server- Linux
- Edit
<LS_INSTALL_DIR>/app/setVars.sh text file - Add the following parameter -Dlog4j2.formatMsgNoLookups=true to the line below
export JAVA_OPTS="-Dsun.jnu.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 -Ddtp.datadir=\"$LSS_DATADIR\""
- Restart License Server
0