On December 10th, 2021, we were made aware of a log4j2 vulnerability (CVE-2021-44228).
As you may be aware, m-Power utilizes the log4j library to handle various logging activities throughout the system.
The vulnerability that was discovered regarding log4j impacts log4j version 2, up through version 2.15.0.
m-Power utilizes log4j version 1, which is not impacted by this vulnerability.
That being said, our research has determined that Apache Solr (a 3rd party library not shipped with m-Power) is impacted by this vulnerability. This library can be optionally installed by clients who wish to implement m-Power’s Full Text Search template. The full text search template is an advanced feature used for specific use cases and not implemented by the majority of our clients. Still, the information below explains how you can check to see if you are impacted and, if so, how to mitigate.
If you are not sure if you are using Full Text Search Template, please do the following:
- Check your m-power/mrcjava/WEB-INF/classes/mrc-runtime.properties file. In the file, find the line mrc_solr_server_base. If this line doesn’t exist or is commented out (a # at the start of line is a comment), you are not impacted.
- If the line does exist and is not commented out, navigate to the folder specified in the property. From there, navigate to the following sub-folder: server\lib\ext\ (customers should also check the server\bin\ext\ folder as well)
Within this folder, look for the following files (* represent wildcards):
- If these files are present, please delete them. Download this zip file and extract the contents into this same folder. Our hotfix replaces the above files with versions that are 2.16.0. This updated version is not susceptible to the vulnerability.
- Restart Tomcat and repeat this process for any other instances of m-Power you are using (development, production, testing, etc…)
Should you have additional questions, please do not hesitate to reach out to our support team.