Log4j2 CVE-2021-44228 'LogShell' vulnerability

A new vulnerability was found today that affects log4j2, a library that is used for writing output logs in Rhythmyx and PercussionCMS. More info can be found through the links below:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Affected versions are below:


Rhythmyx (version 7.3.2)

A formal Rhythmyx 7.3.2 patch is available for download from the Support Portal that includes Log4j2 2.17.1. This version mitigates several Log4j2 related CVE’s including Log Shell.


Percussion CM1 (version 5.3)

  1. Download and install the latest 5.3 patch from the link below
    https://support.percussion.com/hc/en-us/articles/115000153043-Percussion-CM1-5-3-Service-Release-1-Updated-6-16-2020

  2. Follow the instructions in the readme from the link below
    https://s3.amazonaws.com/cdn.percussion.com/downloads/cm1/5.3.15/hot/log4j2-update-5315_20200527.zip

Note: The link will download the 2.12.2 JAR files. For the latest updates, you can download the version 2.12.4 JARs from the apache site below
https://logging.apache.org/log4j/2.x/download.html


Percussion CMS (version 8.0.2)

Make sure to shut down the PercussionCMS, PercussionProductionDTS and PercussionStagingDTS services if any of them are running

  1. Download the log4j2-update-8.0.2.10.65.zip from the link below
    https://s3.amazonaws.com/cdn.percussion.com/downloads/percussioncms/release/8.0.2.10/log4j2-update-8.0.2.10.65.zip

Note: The link will download the 2.17.0 JAR files. For the latest updates, you can download the version 2.17.1 JARs from the apache site below
https://logging.apache.org/log4j/2.x/download.html

  1. Extract the log4j2-update folder into your Percussion root folder
    e.g C:\Percussion\log4j2-update
  2. Open the command prompt as administrator
  3. Navigate to the log4j2-update folder
C:
cd C:\Percussion\log4j2-update
  1. Run update.cmd (update.sh on Linux) and wait for the process to finish
update.cmd

You may see this message printed a few times The system cannot find the path specified.- the script searches for log4j jar files and removes them if they are present.

Note: If the Percussion DTS installation is on another server or a different folder, repeat these steps for that installation

You can verify that the new jar files were added by checking the folders below. Make sure the “log4j” jar files under the downloaded folders are in the image below - each folder may not necessarily contain all of the jars.
image

Percussion CMS install
(assuming Percussion is installed in C: drive)
C:\Percussion\jetty\defaults\lib\perc
C:\Percussion\jetty\defaults\lib\perc-logging\

Production DTS install
C:\Percussion\Deployment\Server\log4j2\lib
C:\Percussion\Deployment\Server\webapps\ROOT\WEB-INF\lib
C:\Percussion\Deployment\Server\webapps\perc-common-ui\WEB-INF\lib

Staging DTS install
C:\Percussion\Staging\Deployment\Server\log4j2\lib
C:\Percussion\Staging\Deployment\Server\webapps\ROOT\WEB-INF\lib
C:\Percussion\Staging\Deployment\Server\webapps\perc-common-ui\WEB-INF\lib