Log4j2 critical vulnerability – Archibus Web Central 25.2 and above

**IMPORTANT UPDATE**
Today, a fourth notice was released regarding the log4J vulnerability and as a result, we have updated our instructions to require updating to version 2.17.1 rather than version 2.16 or 2.15 as reported earlier.

We were recently notified of a newly discovered zero-day vulnerability in a logging component (log4j) that is used to enable logging in many popular applications which can be exploited to enable remote code execution on servers within Cloud/SaaS, Hosted and On-premise environments that are exposed to the internet. Web Central version 25.2 or above utilizes the affected version of log4j and presents a risk from the newly discovered arbitrary code execution exploit in the log4j library. This vulnerability is rated as Critical to Severe and patches should be applied immediately, no later than the end of the week.

For information about this log4j vulnerability, please visit the latest reports:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 *NEW
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105 *NEW
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

This vulnerability impacts web applications using the Log4j2 versions less than or equal to 2.14.1. According to Apache, this impacts only the org.apache.logging.log4j:log4j-core. However, we are recommending that you replace all 3 log4j libraries in the Archibus war with updated versions. All Archibus SaaS environments have already been patched with the updated appropriate versions as described below.

This does not impact versions of Web Central 25.1 and below, but will impact all installations of Web Central 25.2 and above.

Updated Instructions:
Follow these steps to remediate this vulnerability:

1. Stop Apache Tomcat Service
2. Remove the “Catalina” folder from:
   • X:\Program Files\Apache Software Foundation\Tomcat 9.0\work
     
3. Remove all the files/folders inside the “temp” folder from:
   • X:\Program Files\Apache Software Foundation\Tomcat 9.0\temp
     DO NOT DELETE THE ENTIRE TEMP FOLDER
4. Remove the “schemaComplied” folder from:
   • X:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\archibus\
5. Go to the “lib” folder:
   • X:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\archibus\WEB-INF\lib\
     
6. Delete “log4j-api-2.1x.x.jar”, “log4j-core-2.1x.x.jar” and “log4j-slf4j-impl-2.1x.x.jar”
   
   
7. Download & extract Zip. Paste updated files inside the “lib” folder the following jar’s:
   • https://www.robotechcad.com/wp-content/uploads/2021/12/2.17.1.zip
     
8. Start the Apache Tomcat Service

 

If you have any questions, please feel free to reach out to techs@robotechcad.com.

Sincerely,

Robotech Support Team