Please see our main article on CVE-2021-44228 for a full overview.
Actions required for 21.11
Customers running any version of 21.11 Avantra are immediately advised to mitigate this risk by following ALL of the following steps:
- Upgrade your Avantra services (master server and UI (xangui)) to 21.11.2 or higher
- Only if you cannot upgrade you can follow these manual steps:
Avantra Server (manual steps if you cannot upgrade):
Disable the functionality within Log4J2 where this CVE resides. To do this do the following:- Linux
- Master Server:
Ensure that the Avantra master server JVM configuration file (at master/cfg/jvm.options) contains a deliberate disabling of this feature within the log4j2 library and restart the service- -Dlog4j2.formatMsgNoLookups=true
- -Dlog4j2.formatMsgNoLookups=true
- UI Server (xangui):
Ensure that the Avantra UI server (xangui) JVM configuration file (at xangui/cfg/jvm.options) contains a deliberate disabling of this feature within the log4j2 library and restart the service:- -Dlog4j2.formatMsgNoLookups=true
- Master Server:
- Windows
- Master Server:
Go to [avantra-directory]\master\bin and execute the command "prunmgr //ES//lyceusm" at a command prompt. In the resulting window, add a new "Java Option" under the section "Java" to match:- -Dlog4j2.formatMsgNoLookups=true
- UI Server (xangui):
Go to [avantra-directory]\xangui\bin and execute the command "prunmgr //ES//xangui" at a command prompt. In the resulting window, add a new "Java Option" under the section "Java" to match:- -Dlog4j2.formatMsgNoLookups=true
- -Dlog4j2.formatMsgNoLookups=true
- Master Server:
- Linux
- Only if you cannot upgrade you can follow these manual steps:
- Avantra Agents:
For Avantra Agents, there are two options.- Manually update the Java runtime configuration similar to the master server above (jvm.config file on Linux and prunmgr //ES//sxagent for Windows).
- Upgrade your agents to version 21.11.2 or higher
If upgrading please note the following - we recommend performing the update via the Avantra agent update process using the .bin file provided in the download area.
- Manually update the Java runtime configuration similar to the master server above (jvm.config file on Linux and prunmgr //ES//sxagent for Windows).
- As per the Avantra Hardening guide - we recommend:
- Lowering the log level of the Avantra master and UI to only what is required
- Disabling unnecessary text input fields for unauthenticated users i.e. password reset function
- Ensure that your Java version is updated to at least above Java 8u121 from whatever source you currently use e.g. Adoptium Temurin / Oracle Java.
Change Log
| 14th Dec @ 16:00 CET | Updated as there are now new server versions available 21.11.2 and 20.11.11 |
| 13th Dec @ 18:30 CET | Initial Version for 21.11.X customers |