Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
All supported DX NetOps Spectrum releases
The Spectrum Data Publisher (used to integrate with DX Operational Intelligence DX OI) uses the log4j logging mechanism and is therefore vulnerable.
# find . -name log4*jar
Remove the JndiLookup class as it is not needed
- Stop the SpectrumDataPublisher
./run.sh stop (run.bat stop if Windows)
- Change directory to the SpectrumDataPublisher lib directory (ex. /usr/SpectrumDataPublisher/lib/)
- Remove the Jndi class as follows
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Start the SpectrumDataPublisher
./run.sh start (run.bat start if Windows)
Rename .jar to .zip
Double-click this file to navigate into it.
Go to the org/apache/logging/log4j/core/lookup/ folder and locate and delete JNDILookup.class:
Once the file has been deleted, rename .zip back to .jar.