============================================================================= Run Date: DEC 21, 2021 Designation: MAG*3*326 Package : MAG - IMAGING Priority: EMERGENCY Version : 3 SEQ #214 Status: Released Compliance Date: DEC 27, 2021 ============================================================================= Subject: LOG4SHELL VULNERABILITY REMEDIATION Category: - Informational Description: ============ This patch addresses the following issues: Emergency Patch MAG*3*0*326 delivers updated Java components to address security vulnerabilities in the Apache Log4j processes on affected production CVIX and VIX servers. The Log4j components listed below will be updated to version 2.17 via either an automated script or manual deployment process that is included in the delivery package: log4j-api-2.17.0.jar log4j-core-2.17.0.jar log4j-slf4j-impl-2.17.0.jar Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- Blood Bank Team Coordination: N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: (IMAG numbers are from VA Jira) 1. Defect (IMAG-2948): Resolve Java logging library log4j security vulnerability. a. Emergency Directive (ED) 22-02 Mitigate Apache Log4J Vulnerability Problem: -------- Prior to this change, Apache Tomcat Log4j contains security vulnerabilities that require updates to resolve. Resolution: ----------- Deployment of this emergency patch will update Apache Log4j to version 2.17 and address all current security vulnerabilities. Test Sites: ----------- * Muskogee, OK * Little Rock, AR The host file (Kernel Installation and Distribution System (KIDS)) is available at the following location: N/A Other Software Files: This release also includes other software files. They can be obtained at location: /srv/vista/patches/SOFTWARE Other software files can also be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Title File Name ---------------------------------------- ------------------------------ VistA Imaging Exchange (VIX) Log4j MAG3_0P326_Log4Shell_Patch.zip Hotfix Patch* *Note: The hotfix can be applied to both VIX and CVIX. Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/application.asp?appid=105. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name -------------------------------------------------------------------------- Patch Description MAG3_0P326_PATCH_DESCRIPTION.PDF Pre/Post Installation Overview: ------------------------------- This patch must be installed by the compliance date. This patch may be loaded while the VistA Imaging System is active. The installation takes less than 5 minutes. Pre-Installation Instructions: ------------------------------ This patch may be installed with users on the system, although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. Installation Instructions: -------------------------- This hotfix can be applied via automated script or manually (see below): Automated script steps: 1. Create a new folder: a. C:\temp\p326_Log4Shell_Patch 2. Extract the contents of the "MAG3_0P326_Log4Shell_Patch.zip" file to the folder created in step #1a ("C:\temp\p326_Log4Shell_Patch"). 3. Run PowerShell as an administrator. 4. If prompted with "Do you want to allow the following program from an unknown publisher to make changes to this computer?", click Yes. 5. Once PowerShell launches, type the command: cd "C:\temp\p326_Log4Shell_Patch" Then press [ENTER] to change the working directory to this folder. 6. Type the command: .\p326_log4shell_patch.ps1 And press [ENTER] to execute the automated script. 7. Answer yes by entering [Y] to each of the four questions that appear: Do you want to stop Tomcat Do you want to back up and remove files Do you want to add the fixed files Do you want to start Tomcat NOTE: Starting and stopping Tomcat can take several minutes and potentially over five minutes. Manual steps: 1. Create two new folders: a. C:\temp\p326_Log4Shell_Patch b. C:\temp\p326_Log4Shell_Patch\Backup_yyyyMMdd_hhmm, where yyyymmdd_hhmm is the current date and time 2. Extract the contents of the "MAG3_0P326_Log4Shell_Patch.zip" file to the folder created in step #1a ("C:\temp\p326_Log4Shell_Patch"). 3. Stop the Tomcat service (Apache Tomcat 9.0 Tomcat9) in Windows Services. Wait for the Tomcat service to stop completely (this may take several minutes and potentially over five minutes). 4. Copy and paste (to create a backup of) the following three files located in the C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib folder to the folder created in step #1b ("C:\temp\p326_Log4Shell_Patch\Backup_yyyyMMdd_hhmm"): a. log4j-api-2.11.0.jar b. log4j-core-2.11.0.jar c. log4j-slf4j-impl-2.11.0.jar 5. Delete the following three files located in the C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib folder a. log4j-api-2.11.0.jar b. log4j-core-2.11.0.jar c. log4j-slf4j-impl-2.11.0.jar 6. Delete the following three files located in the C:\Program Files\Java\jre1.8.0_XXX\lib\ext folder (where XXX is either 251 or 291 depending on the Java version installed) a. log4j-api-2.11.0.jar b. log4j-core-2.11.0.jar c. log4j-slf4j-impl-2.11.0.jar 7. Copy the following three files extracted from "MAG3_0P326_Log4Shell_Patch.zip" located in the bin folder within the folder created in step #1a ("C:\temp\p326_Log4Shell_Patch\bin") and paste these three files into the folder C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib folder: a. log4j-api-2.17.0.jar b. log4j-core-2.17.0.jar c. log4j-slf4j-impl-2.17.0.jar 8. Copy the following three files extracted from "MAG3_0P326_Log4Shell_Patch.zip" located in the bin folder within the folder created in step #1a ("C:\temp\p326_Log4Shell_Patch\bin") and paste these three files into the folder C:\Program Files\Java\jre1.8.0_XXX\lib\ext folder (where XXX is either 251 or 291 depending on the Java version installed) a. log4j-api-2.17.0.jar b. log4j-core-2.17.0.jar c. log4j-slf4j-impl-2.17.0.jar 9. Start the Tomcat service (Apache Tomcat 9.0 Tomcat9) in Windows Services. Wait for the Tomcat service to start completely (this may take several minutes) Post-Installation Instructions ------------------------- N/A Back-out Procedures for MAG Routines ------------------------------------ N/A Rollback, Back Out, or Uninstalling MAG*3.0*326 -------------------------------------------------- N/A Routine Information: ==================== N/A Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : DEC 20, 2021 Completed By: Date Completed: DEC 21, 2021 Released By : Date Released : DEC 21, 2021 ============================================================================= Packman Mail Message: ===================== No routines included