Funnelback patch 15.0.0.11

  • Released: 2021-12-21

  • Applies to: v15.0.0

  • Internal reference: RNDSUPPORT-3466

Description

  • Upgrades log4j2 to version 2.17 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

Affected files

  • lib/java/all/funnelback-api-client-core.jar

  • lib/java/all/funnelback-collection-update.jar

  • lib/java/all/funnelback-common.jar

  • lib/java/all/funnelback-data-api-connector-padre.jar

  • lib/java/all/funnelback-jetty-extras.jar

  • lib/java/all/funnelback-mediator-core.jar

  • lib/java/all/funnelback-push-api-client.jar

  • lib/java/all/funnelback-push-core.jar

  • lib/java/all/funnelback-reporting-api-client.jar

  • lib/java/all/funnelback-social-media.jar

  • lib/java/all/funnelback-squizapi.jar

  • lib/java/all/funnelback-store.jar

  • lib/java/all/funnelback-warc-library.jar

  • lib/java/all/funnelback-wca-api-client.jar

  • lib/java/all/funnelback-wca-checker.jar

  • lib/java/all/log4j-1.2-api-2.4.1.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-1.2-api-2.17.0.jar

  • lib/java/all/log4j-api-2.4.1.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-api-2.17.0.jar

  • lib/java/all/log4j-core-2.4.1.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-core-2.17.0.jar

  • lib/java/all/log4j-iostreams-2.4.1.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-iostreams-2.17.0.jar

  • lib/java/all/log4j-jcl-2.4.1.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-jcl-2.17.0.jar

  • lib/java/all/log4j-jul-2.4.1.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-jul-2.17.0.jar

  • lib/java/all/log4j-slf4j-impl-2.4.1.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-slf4j-impl-2.17.0.jar

  • lib/java/all/log4j-web-2.4.1.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-web-2.17.0.jar

  • lib/java/all/publicui-core.jar

  • lib/java/all/publicui-form-converter.jar

  • web/server/funnelback-jetty-launcher.jar

  • web/webapps/funnelback-admin-api.war

  • web/webapps/funnelback-analystics.war

  • web/webapps/funnelback-data-api-restful-central.war

  • web/webapps/funnelback-mediator-endpoint-http.war

  • web/webapps/funnelback-publicui.war

  • web/webapps/funnelback-push-api.war

  • web/webapps/funnelback-redirector.war

  • web/webapps/funnelback-squizapi-server.war

  • web/webapps/funnelback-wca-reporter.war

Deployment

  • Stop the Jetty web server and the Funnelback daemon.

  • Deploy the provided files on top of an existing install for your operating system, backing up all replaced files.

  • (15.0.0.11) It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.4.1.jar, lib/java/all/log4j-api-2.4.1.jar, lib/java/all/log4j-core-2.4.1.jar, lib/java/all/log4j-iostreams-2.4.1.jar, lib/java/all/log4j-jcl-2.4.1.jar, lib/java/all/log4j-jul-2.4.1.jar, lib/java/all/log4j-slf4j-impl-2.4.1.jar, lib/java/all/log4j-web-2.4.1.jar.

  • (15.0.0.11) Run $SEARCH_HOME/bin/setup/start_funnelback_on_boot.pl - Please note that this will cause Funnelback services to be restarted.

  • Start the Jetty web server and the Funnelback daemon (if they weren’t already started by the previous step).

  • As patches are cumulative, apply deployment instructions from any previously unapplied patches.