Serious remote code execution (RCE) and denial of service (DOS) vulnerabilities in Apache Log4j could affect customers running some OpenNMS products. These vulnerabilities could allow an attacker to shut down or compromise your system by causing OpenNMS to log specially crafted messages into system log files for malicious purposes. Apache Log4j could interpret one of those messages to download, run, or install malicious software.

To mitigate this risk, consult the following list to install the latest OpenNMS software upgrades or work-around.

For more information about the Log4j vulnerability, see the Apache Log4j security notice for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 at https://logging.apache.org/log4j/2.x/security.html.

(Updated December 14, 2021 for Horizon 26.1.2 and earlier versions. Updated December 16 for CVE-2021-45046. Updated December 20 for CVE-2021-45105. Major text changes appear in red.) Note that the log4j.formatMsgNoLookups work-around is no longer recommended. We are evaluating CVE-2021-45105 and at this time do not believe our products are affected.

Version: Meridian 2021.1.8, 2020.1.16, 2019.1.27, or earlier

  • Work-around:
    Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line:
    log4j.formatMsgNoLookups=true

    Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/opennms" with "/usr/share/opennms" instead):
    find /opt/opennms -type f -name *log4j*.jar | while read -r JAR; do
    zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class
    done &&
    find /opt/opennms/system -type f -name *log4j*.jar.sha1 -delete &&
    systemctl stop opennms.service &&
    rm -rf /opt/opennms/data/* &&
    systemctl start opennms.service

  • Permanent Fix:
    Upgrade to Meridian 2021.1.9, 2020.1.17, 2019.1.28, or newer

Version: Horizon 26.1.3 through 29.0.2

  • Work-around:
    Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line:
    log4j.formatMsgNoLookups=true and restart Horizon
  • Permanent Fix:
    Upgrade to Horizon 29.0.3 or newer

Version: Horizon 29.0.3 or earlier

  • Work-around:
    Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/opennms" with "/usr/share/opennms" instead):
    find /opt/opennms -type f -name *log4j*.jar | while read -r JAR; do
    zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class
    done &&
    find /opt/opennms/system -type f -name *log4j*.jar.sha1 -delete &&
    systemctl stop opennms.service &&
    rm -rf /opt/opennms/data/* &&
    systemctl start opennms.service
  • Permanent Fix:
    Upgrade to Horizon 29.0.4 or newer

Version: PoweredBy OpenNMS

  • Work-around:
    Not available
  • Permanent Fix:
    Pull from latest GitHub source that has Log4j2 v2.17.0 or newer in pom.xml

Version: Minions derived from Meridian 2021.1.8, 2020.1.16, 2019.1.27, Horizon 29.0.3, or earlier

  • Work-around:
    For each Minion, edit/opt/minion/etc/config.properties config file to include the line:
    log4j.formatMsgNoLookups=true Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/minion" with "/usr/share/minion" instead):
    find /opt/minion -type f -name *log4j*.jar | while read -r JAR; do
    zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class
    done &&
    find /opt/minion/system -type f -name *log4j*.jar.sha1 -delete &&
    systemctl stop minion.service &&
    rm -rf /opt/minion/data/* &&
    systemctl start minion.service
  • Permanent Fix:
    Upgrade to Minion included with Meridian 2021.1.9, 2020.1.17, 2019.1.28, Horizon 29.0.4, or newer

Version: Minion Appliance – all versions

  • Work-around:
    Not applicable – Automatic Updates
  • Permanent Fix:
    Appliance service provides automatic updates to Minion appliances to match the version of Meridian or Horizon in use.

Version: Sentinels derived from Meridian 2021.1.8, 2020.1.16, 2019.1.27, Horizon 29.0.3 or earlier

  • Work-around:
    For each Sentinel, edit /opt/sentinel/etc/config.properties config file to include the line:
    log4j.formatMsgNoLookups=true
    Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/minion" with "/usr/share/minion" instead):
    find /opt/minion -type f -name *log4j*.jar | while read -r JAR; do
    zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class
    done &&
    find /opt/minion/system -type f -name *log4j*.jar.sha1 -delete &&
    systemctl stop minion.service &&
    rm -rf /opt/minion/data/* &&
    systemctl start minion.service

     

  • Permanent Fix:
    Upgrade to Sentinel included with Meridian 2021.1.9, 2020.1.17, 2019.1.28, Horizon 29.0.4, or newer

Version: Sentinels derived Horizon 26.1.2 or earlier

  • Work-around:
    For each Sentinel, remove the JndiLookup class from the classpath (directories that contain log4j-core-*.jar files) with this command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class and restart Sentinel
  • Permanent Fix:
    Upgrade to Sentinel included with Horizon 29.0.3 or newer

Addendum

Find out how to verify that the mitigations you put in place are protecting you from CVE-2021-44228 and CVE-2021-45046 in this Discourse article.