There are two paths for this security mitigation
Patching the Log4j jar file
- Download the patched jar file: log4j-1.2.17-NoJMS-2.jar
- Remove the current log4j jar file from the /TOMCAT_HOME/webapps/ceg50-x/WEB-INF/lib/ sub-directory.
- The file will be named log4j-1.2.12.jar.
- Copy the patched jar file into your Transferology Connector install under the sub-directory /TOMCAT_HOME/webapps/ceg50-x/WEB-INF/lib/
- Example: apache-tomcat/webapps/ceg50-tomcat-22/WEB-INF/lib/log4j-1.2.17-NoJMS-2.jar
- You can review the /TOMCAT_HOME/webapps/ceg50-x/WEB-INF/classes/log4j.properties file to confirm the JMS Appender is not configured.
- Restart your webserver
Download the patched Transferology Connector
- First, create a copy of your cas4.properties and log4j.properties
- These are found in the /TOMCAT_HOME/webapps/ceg50-x/WEB-INF/classes directory
- Download the most recent Transferology Connector
- Connector Downloads
Uncompress war, add school specific properties, rebuild war
Note |
---|
title | Working Directory /tmp/ceg |
---|
|
Make sure your current directory is /tmp/ceg when you execute the jar xvf and jar cvf commands below. |
- cp ceg50-tomcat-23.war /tmp
- mkdir /tmp/ceg
- cd /tmp/ceg
- jar xvf /tmp/ceg50-tomcat-23.war
Replace WEB-INF/classes/cas4.properties with your existing CEG's cas4.properties; edit as necessary
- Replace WEB-INF/classes/log4j.properties with your existing CEG's log4j.properties; edit as necessary
- cd /tmp/ceg
- jar cvf /tmp/ceg50-tomcat-23.war *
- Replace the current Transferology Connector war file with the patched and updated version
- Remove your deployed ceg50-x war file from /TOMCAT_HOME/webapps/
- Copy ceg50-tomcat-23.war into the /TOMCAT_HOME/webapps/ directory.
- Start Tomcat if it is not already started
- Tomcat will automatically create the /TOMCAT_HOME/webapps/ceg50-tomcat-23/ directory structure