Spectrum Spatial Analyst - CVE-2021-44228 - "Log4Shell"

Spectrum Spatial Analyst is impacted by CVE-2021-44228 - "Log4Shell" for versions 12.2, 2018.2, 2019.1 & 2020.1

Dec 16, 2021

Article Number 000049119

Issue

The following versions of Spectrum Spatial Analyst are impacted by CVE-2021-44228 - "Log4Shell" –

12.2, 2018.2, 2019.1, 2020.1

If you have installed one of these versions, you must follow the steps defined according to your specific environment (Windows/Non-Windows).

Cause

Resolution

Windows Installations

This section explains the mitigations steps for Spectrum Spatial Analyst on a Windows server.

Remediation Steps for Analyst

1. Stop all Spectrum Spatial Analyst services: AnalystConnect, AnalystLocate, and AnalystAdmin (v12.2, v2018.2 only).

Repeat steps given in section Remove JndiLookup.class for all Spectrum Spatial Analyst services.

If you are using Spectrum Spatial Analyst 12.2 or 18.2, make sure to run same steps for AnalystAdmin service.

Start all Spectrum Spatial Analyst services.

Open Spectrum Spatial Analyst in a browser and verify that your map projects are working as expected.

Remove JndiLookup.class from the classpath

If you are running steps for AnalystLocate service, the log4j-core version may be 2.0 or 2.10.0, depending on Spectrum Spatial Analyst version. Otherwise, the log4j-core version will be 2.0

Refer to Application directory paths section, to get the path of the directory that contains log4j-core artifact.

Use a file archiver utility like 7-Zip to open log4j-core-2.x.jar. Make sure to run the utility as an Administrator, otherwise the changes may not be saved.

You should get a new window as shown below:

In the archive utility window, open the path “org/apache/logging/log4j/core/lookup” by clicking on org -> apache -> logging -> core-> lookup.

Look for a file named JndiLookup.class as shown above and delete it. To delete the file, you need to right click on the file name - JndiLookup.class, subsequently click on Delete and Ok.

Click on Save to persist the changes.

Application directory paths

The paths for directories that contain log4j.2.x jar are given below:

Spectrum Spatial Analyst 18.2, 2019.1, 2020.1

Note that installDir is the directory where you have installed Spectrum Spatial Analyst (for example: C:\Program Files\Precisely).

AnalystConnect

<installDir>\SpectrumSpatialAnalyst\Tomcat\AnalystConnect\webapps\connect\WEB-INF\lib

AnalystLocate

<installDir>\SpectrumSpatialAnalyst\Tomcat\AnalystLocate\webapps\index-search\WEB-INF\lib

<installDir>\SpectrumSpatialAnalyst\Tomcat\AnalystLocate\webapps\maprepo\WEB-INF\lib

Note: The above path containing “maprepo” is valid for 2018.2 only.

AnalystAdmin (2018.2 only)

<installDir>\SpectrumSpatialAnalyst\Tomcat\AnalystAdmin\webapps\adminconsole\WEB-INF\lib

Spectrum Spatial Analyst 12.2

AnalystConnect

<installDir>\SpectrumSpatialAnalyst\Tomcat7\AnalystConnect\webapps\connect\WEB-INF\lib

AnalystLocate

<installDir>\SpectrumSpatialAnalyst\Tomcat7\AnalystLocate\webapps\index-search\WEB-INF\lib

AnalystAdmin

<installDir>\SpectrumSpatialAnalyst\Tomcat7\AnalystAdmin\webapps\adminconsole\WEB-INF\lib

Remediation Steps for Utilities

These utilities are only used during Analyst installation time. These are not used later from running application. However, you should delete JndiLookup.class inside log4j-core-2.x jars.

Spectrum Spatial Analyst 2018.2

Migration Utility

1. Navigate to <installDir>\SpectrumSpatialAnalyst\Migration

2. Use a file archiver utility like 7-Zip to open Analyst2018.2Migration-0.0.1-SNAPSHOT.jar. Make sure to run the utility as an Administrator, otherwise the changes may not be saved.

3. Click on BOOT-INF and then on lib folder.

4. Click on log4j-core-2.x.jar

5. Run the steps mentioned in section - Remove JndiLookup.class from the classpath , starting from point “3” till end of section.

Spectrum Spatial Analyst 2019.1

Installer Utility

Navigate to <installDir>\SpectrumSpatialAnalyst\InstallerUtility

Use a file archiver utility like 7-Zip to open InstallerUtility-2019.1.jar. Make sure to run the utility as an Administrator, otherwise the changes may not be saved.

Click on BOOT-INF and then on lib folder.

Click on log4j-core-2.x.jar

Run the steps mentioned in section - Remove JndiLookup.class from the classpath , starting from point “3” till end of section.

Non-Windows Installations

This section explains the mitigations steps for Spectrum Spatial Analyst on a non-Windows server.

Remediation Steps

Stop all Spectrum Spatial Analyst servers: AnalystConnect, AnalystLocate, and AnalystAdmin (v12.2, v2018.2 only).

Repeat steps given in section Remove JndiLookup.class for all Spectrum Spatial Analyst servers.

If you are using Spectrum Spatial Analyst 12.2 or 18.2, you need to run same steps for AnalystAdmin server.

Start all Spectrum Spatial Analyst servers.

Open Spectrum Spatial Analyst in a browser and verify that your map projects are working as expected.

Remove the JndiLookup.class from the classpath

Refer to Application directory paths section, to get the path of the directory that contains log4j-core artifact.

Open a terminal and change directory to application path containing log4j-core-2.x.jar by running below command:

cd <path_contains_ log4j-core-2.x.jar>

Delete JndiLookup.class by running below command:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

If the file is deleted successfully, you should not get any output. You will get an error message otherwise.

Application directory paths

The paths for directories that contain log4j.2.x jar are given below:

Spectrum Spatial Analyst 12.2, 2018.2, 2019.1, 2020.1

Note that installDir is the directory where you have installed Spectrum Spatial Analyst (for example: /home/user/myuser/Precisely).

AnalystConnect

<installDir>/SpectrumSpatialAnalyst/analyst/connect/webapps/connect/WEB-INF/lib

AnalystLocate

<installDir>/SpectrumSpatialAnalyst/analyst/index-search/webapps/index-search/WEB-INF/lib

<installDir>/SpectrumSpatialAnalyst/analyst/index-search/webapps/maprepo/WEB-INF/lib

AnalystAdmin (12.2 & 2018.2 only)

<installDir>/SpectrumSpatialAnalyst/analyst/adminconsole/webapps/adminconsole/WEB-INF/lib

Remediation Steps for Utilities

These utilities are only used during Analyst installation time. These are not used later from running application. However, you should perform the mitigation steps as a precautionary measure.

Note that in case of the Utilities, log4j-core-2.x jar is contained inside utility jar file. So, you should copy the utility to a Windows system and perform steps as mentioned below.

Spectrum Spatial Analyst 2018.2 - Migration Utility

Navigate to <installDir>/SpectrumSpatialAnalyst/migration

Use a file archiver utility like 7-Zip to open Analyst2018.2Migration-0.0.1-SNAPSHOT.jar. Make sure to run the utility as an Administrator, otherwise the changes may not be saved.

Click on BOOT-INF and then on lib folder.

Click on log4j-core-2.x.jar

Run the steps mentioned in section - Remove JndiLookup.class from the classpath , starting from point “3” till end of section.

Spectrum Spatial Analyst 2019.1 - Installer Utility

Navigate to <installDir>/SpectrumSpatialAnalyst/InstallerUtility

Use a file archiver utility like 7-Zip to open InstallerUtility-2019.1.jar. Make sure to run the utility as an Administrator, otherwise the changes may not be saved.

Click on BOOT-INF and then on lib folder.

Click on log4j-core-2.x.jar

Run the steps mentioned in section - Remove JndiLookup.class from the classpath , starting from point “3” till end of section.