Please see our main article on CVE-2021-44228 for a full overview.


Actions required for 20.5, 20.2, and below


Customers running any version of 20.5 and 20.2 Avantra are immediately advised to mitigate this risk by following ALL of the following steps:

  1. Avantra Server:
    We strongly recommend upgrading your Avantra master server (where possible) to 20.11.11+ or 21.11.2+.

    If you cannot upgrade your master server - please perform the following:
    • Linux
      • Master Server:
        1. Stop the Avantra Master service
        2. Create a backup of the following file %SYSLINK_HOME%/master/lib/log4j-core-*.jar to a temporary directory.
        3. Run the following command to remove the JndiLookup.class file from the log4j jar:
          cd %SYSLINK_HOME%/master/lib
          
          zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
        4. Start the Avantra Master service

      • UI Server (xangui):
        1. Stop the Avantra UI service
        2. Create a backup of the following file %SYSLINK_HOME%/xangui/xn.war to a temporary directory.
        3. Delete the JndiLookup.class file from the log4j jar within the xn.war file. This file is located at:
          xn.war/WEB-INF/lib/log4j-core-*.jar/org/apache/logging/log4j/core/lookup/JndiLookup.class
        4. Repackage the Jar and war file (if necessary)
        5. Start the Avantra UI service

    • Windows
      • Master Server:
        1. Stop the Avantra Master service
        2. From C:\Program Files\syslink\master\lib\
        3. Make a backup of the log4j-core-*.jar file to a different directory
        4. Copy this file to a temporary folder
        5. Open the jar with a zip browser (we use 7zip) and locate the following file:
          org/apache/logging/log4j/core/lookup/
        6. Delete the file JndiLookup.class
        7. Confirm changes to the archive 
        8. Copy back the jar to the original directory (from step 2) replacing the existing .jar file
        9. Start the Avantra Master service

      • UI Server (xangui):
        1. Stop the Avantra UI service
        2. From C:\Program Files\syslink\xangui\ (or the installation directory)
        3. Make a backup of the xn.war file to xn.war.bak.
        4. Copy file xn.war to a temporary folder.
        5. Open xn.war with a zip browser (we use 7zip) and locate the following file:
          xn.war/WEB-INF/lib/log4j-core-*.jar/org/apache/logging/log4j/core/lookup/
        6. Delete the file JndiLookup.class
        7. Confirm changes to the archive
        8. Copy back to the original directory (from step 2) replacing the existing xn.war file
        9. Start the Avantra UI service

    • After performing these steps, verify that the master and UI services are operational again. In case of issues, restore the backup files created replacing the master (log4j-core-*.jar) and xangui (xn.war) files we replaced.

  2. Avantra Agents:

    • If you are upgrading your master server to 20.11.11+ or 21.11.2+ then please follow the guidance in the relevant document.

    • Avantra agent version 20.5.8 is now available from the download site for use with Avantra Master servers version 20.5.6 and above. This agent should be used where another upgrade is not possible i.e. older versions of windows.

    • If you do not plan on upgrading your agents or cannot please do the following:
      • Linux:
        1. Stop the Avantra Agent service
        2. Create a backup of the following file %SYSLINK_HOME%/agent/lib/log4j-core-*.jar to a temporary directory.
        3. Run the following command to remove the JndiLookup.class file from the log4j jar:

          cd %SYSLINK_HOME%/agent/lib
          
          zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
        4. Start the Avantra Agent


      • Windows:
        1. Stop the Avantra Agent service
        2. Backup the file located at C:\Program Files\syslink\agent\lib\log4j-core-*.jar to a different folder.
        3. Copy this jar to a temporary folder and remove the following file:
          org/apache/logging/log4j/core/lookup/JndiLookup.class
        4. Replace the jar file to the location in step 2
        5. Start the Avantra Agent service


  3. As per the Avantra Hardening guide - we recommend:
    • Lowering the log level of the Avantra master and UI to only what is required
    • Disabling unnecessary text input fields for unauthenticated users i.e. password reset function

  4. Ensure that your Java version is updated to at least above Java 8u121 from whatever source you currently use e.g. Adoptium Temurin / Oracle Java.


Change Log

14th Dec @ 15:00 CETAvantra Agent 20.5.7 is now available for customers that require it for older windows versions or where an upgrade is not possible.
13th Dec @ 18:30 CETInitial Version for 20.5 and 20.2 and below customers