NOTE: This applies to on-premise customers only. If you are a hosted Teamforge customer, the vulnerability has already been corrected in the hosted environment.
Many of our users will have seen recent news about ongoing problems with the Zero-Day attack which exploits vulnerabilities in the Apache Log4j library - CVE-2021-44228
The identified vulnerability is with the version 2.x of log4j-core jar file core jar file which is not used by the TeamForge core product. TeamForge internally uses ElasticSearch which in turn uses Log4j 2.9.1. ElasticSearch is used for code search functionality and is not directly exposed as APIs to be consumed outside of TeamForge.
Elastic Search can be can be protected via a simple JVM property change as recommended by Elastic (https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476) and NIST (CVE-2021-44228). This does not require updating or changing the Log4j libraries. We suggest the following action on the Elastic Search service of TeamForge:
Steps to Follow
- Go to the server where code search service is running. Go to file /etc/elasticsearch/jvm.options and replace -Xms2g -Xmx2g with:
-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true
- Restart code search service using the following command:
teamforge restart -s codesearch-elasticsearch
- Verify Code search service is up and running and see that the service runs with the new JVM option added using the following command:
ps -ef | grep elasticsearch | grep formatMsgNoLookups
- Add/ Change ELASTICSEARCH_JAVA_OPTS in /opt/collabnet/teamforge/etc/site-options.conf to:
ELASTICSEARCH_JAVA_OPTS=-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true
- Step 1 will take effect immediately after a service restart but will be reverted in subsequent 'teamforge provision'.
- Step 4 is needed for this change to survive subsequent TeamForge provision. If you are using a multi server environment, make sure to update the token in site-options.conf across all servers.
- The steps are structured to avoid immediate provisioning and to mitigate the risk due to the vulnerability with immediate effect.
To view Log4J notices for other Digital.ai products, please see Log4J Vulnerability to Zero Day Exploit and Digital.ai.