Apache Log4j vulnerability affects DPC versions 18.2 to 19.5.0-6.
Vulnerability affects the Apache Log4j version in DPC 18.2 to 19.5.0-6.
To resolve this issue, do the following steps:
- SSH into DPC as admin user, and SU as root user.
- Run the command:
- Copy the attached file pingfederate-log4j2-2.16.0-updates_csp_en_US_1.zip, onto DPC server under /tmp directory, and extract the file with the following command:
unzip pingfederate-log4j2-2.16.0-updates_int_en_US_1.zip
- Copy the attached script updateLog4jFiles_csp_en_US_1.sh in the updateLog4jFiles_csp.7z zip file onto the DPC server under /tmp directory.
- Set execute permissions on the script with the following command:
chmod +x updateLog4jFiles_csp_en_US_1.sh
- Run the script with the following command:
./updateLog4jFiles_csp_en_US_1.sh
If the script does not run or returns errors, manually update with the following steps:
-
cd /usr/local/dpc/lib/sso/pingfederate/server/default/lib
- Copy the zip file jars into this location, for example
- cp -f /tmp/dist/pingfederate/server/default/lib/*.jar /usr/local/dpc/lib/sso/pingfederate/server/default/lib
- Set the ownership for new jar files with the below.
chown admin:root /usr/local/dpc/lib/sso/pingfederate/server/default/lib/log4j*.jar
chown admin:root /usr/local/dpc/lib/sso/pingfederate/server/default/lib/disruptor.jar
- Set the permission for new jar files with the below.
chmod 654 /usr/local/dpc/lib/sso/pingfederate/server/default/lib/log4j*.jar
chmod 654 /usr/local/dpc/lib/sso/pingfederate/server/default/lib/disruptor.jar
- Run the command: