There has been a lot of discussion around Log4j V2 due to the recently discovered security vulnerability (CVE-2021-44228).
Your usage of Nastel products is not impacted by this vulnerability in Log4j V2. We do not log information in the way that would be required to leverage the vulnerability.
As a follow-on to this, many customers have asked about our usage of Log4j V1, since that offering is at end-of-life. As noted above, our usage of Log4j is limited to logging data from the Nastel components and does not expose risks in usage.
However, to mitigate both of these concerns, we have defined the following plan to address our usage within the products.
- Nastel code that does not use Log4j
- No changes are planned at this time.
- Nastel code that uses Log4j V2
- These will be updated.
- Components superseded by newer versions will not be updated
- Nastel code that uses Log4j V1
- We will review complete conversion in a future release as appropriate.
- In addition to Nastel code, we also include a number of 3rd party offerings that use V1/V2.
- Where applicable, we will update to versions or configurations that support, or are patched for, V2.
- If the product supports it, we will use Log4j bridge, if required.
- If the 3rd party software only supports V1, it may be necessary to remove it or configure it to prevent specific vulnerabilities at possible loss of function.
Note that to address the specific vulnerability, there are methods to mitigate it, such as setting system property "log4j2.formatMsgNoLookups" to “true” or removing the JndiLookup class from the classpath.
- Current Nastel Navigator agents for MQ (also known a APWMQ) do not use java and are not impacted by this vulnerability.
- Nastel Navigator: nsqcmkafka.jar and nsqcmace.jar in version 10.3.0 and above use Log4j V2, nsqcmems.jar and other components updated to V2 in 10.4.0. An alternate GUI for apodwsm is included with 10.4.0, navxwsm, and as such it will not be updated to log4j V2 but can be removed once navxwsm is in use.
- Nastel XRay: Apache Storm includes Log4j V2.8. If Storm is not being used, it can be removed completely. Otherwise, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
- XRay Express/tnt4j-streams (all): Updated to use log4jV2 and supports Log4j bridge for 3rd party components.
- No Nastel components using log4j V1 are configured to use the JMS appender
- The AutoPilot engine has been updated to use log4j V2 with Service Update 33.
- Nastel components which use AutoPilot for logging that have dependencies have also been updated, including Navigator 10.4.1, XRay 1.4.1, Scheduler 0.1.15 as well as several other related experts.
- For more details, see Nastel AutoPilot M6 release notes: service update 33