m-Power currently utilizes log4j version 1 for various logging purposes. We at mrc are confident version 1 is not impacted by the log4j 2 vulnerability (CVE-2021-44228) discovered in December of 2021. Due to a lack of justifiable benefits, there is no plan to upgrade log4j to log4j 2 at this time. However, if it is your company policy to be on the latest version of software packages, please follow these steps.
- Go to the Apache Log4j 2 Download Site.
- Click on the mirror link for “Apache Log4j 2 binary (zip). The link should be “apache-log4j-2.XX-bin.zip”.
- Download the zip file from the suggested link at the top of the page.
- There are many files in the zip file. You will only need 3. Find and extract the following 3 files to the m-Power server:
- log4j-1.2-api-2.XX.X.jar
- log4j-api-2.XX.X.jar
- log4j-core-2.XX.X.jar
- On the m-Power server, stop Tomcat.
- Go to /mrcjava/WEB-INF/lib.
- Find and delete the existing log4j-1.X.X.jar file.
- Copy the three previously extracted log4j jar files to:
- /mrcjava/WEB-INF/lib
- /mrcwebgui/WEB-INF/lib
- Open a PC command line on the m-Power server.
- Type
cd C:\Program Files\mrc\development\m-power\tomcat\bin.
Note: Make sure this path is pointing to the correct m-Power installation. - Next, type
tomcat9w //ES//TC9DEVwhere TC9DEV is the service name of Tomcat.
Note: If using Tomcat 7, please change all references of 9 to 7. - A window will pop up. Switch to the Java tab.
- Add the following line to the bottom of the Java Options window:
-Dlog4j1.compatibility=true - Click OK.
- Start Tomcat.
Repeat these steps for all installed instances of Tomcat.
Additional Notes
- Steps 9-14 are specific to a Windows server. If m-Power is installed on a Linux server, you will need to add the java option from step 13 above to the \m-power\tomcat\bin\setenv.sh file.