cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
firebiade2
Level 8
Report Inappropriate Content
Message 1 of 12

How to upgrade EPO to Log4j 2.15

So various versions of EPO seem vulnerable to Log4j and the solution is to "upgrade" log4j to 2.15. So I downloaded the zip and unzipped it to reveal a bunch of jar files. How do I actually go about doing the upgrade. Is it a painstaking process to match file names and replace files or do I just copy all these somewhere and reboot, et voila?

11 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: How to upgrade EPO to Log4j 2.15

You cannot upgrade that in epo like that.  Any fix has to come via an update for epo specifically.  Please review KB below:

https://kc.mcafee.com/corporate/index?page=content&id=KB95091

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

firebiade2
Level 8
Report Inappropriate Content
Message 3 of 12

Re: How to upgrade EPO to Log4j 2.15

Oh I see, I was a bit mislead by:

"Apache has released Log4j 2.15.0 to address this vulnerability. McAfee Enterprise recommends applying this update to impacted systems and reviewing relevant Log4j configurations in your environment to identify potential workflows that might be subject to this vulnerability."

I will hang fire then until something is released.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 12

Re: How to upgrade EPO to Log4j 2.15

Yea, the wording is a little confusing.  Let me see if I can get that clarified.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rgc
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 12

Re: How to upgrade EPO to Log4j 2.15

Hi,

We should not update the log4j, without the update from the engineering team.

but, for now, you can follow the workaround to update as per SB10377



ePO 5.10 CU11:
The version of Java used in ePO 5.10 CU 11 offers protection by preventing the remote code from being executed. To prevent a malicious actor from being able to download their code, disable lookups by Log4J. You can do this by modifying the startup parameters for ePO's JRE or by setting a system environmental variable.

How to edit ePO's JRE startup parameter:
NOTE: These steps only affect the JRE that ePO uses on the system where ePO is installed.

  1. Open the registry and navigate to this key:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\MCAFEETOMCATSRV5100\Parameters\Java
     
  2. Add this line to the reg_multi_sz Options key:

    ‐Dlog4j2.formatMsgNoLookups=True
     
  3. Restart the ePO Server service (Tomcat).

How to set a system environmental variable:
NOTE: These steps will affect any JRE on the system where ePO is installed that adheres to this system environmental variable.

  1. Open an administrator command prompt.
  2. Run this command:

    setx /M LOG4J_FORMAT_MSG_NO_LOOKUPS "TRUE"
     
  3. Restart the ePO Application Server Service.

    NOTE: If you're concerned with multiple applications on the box possibly using Log4j, restart the server to make sure all relevant services are restarted.

McAfee Enterprise recommends you implement both mitigation steps above. Only one is required to remediate the issue. But, when set the JRE startup parameter will supersede the environmental variable. By default, ePO doesn't set this startup parameter. McAfee Enterprise hasn't seen any impact to ePO functionality through applying this mitigation.


Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!


Raghavendra GC - [RGC]
firebiade2
Level 8
Report Inappropriate Content
Message 6 of 12

Re: How to upgrade EPO to Log4j 2.15

Thanks I will give these a go.

JoseRR
Level 10
Report Inappropriate Content
Message 7 of 12

Re: How to upgrade EPO to Log4j 2.15

This workaround is not good anymore, neither the upgrade of Log4j to 2.15.0

 

It has to be 2.16.0, seen here

Log4j – Apache Log4j Security Vulnerabilities

 

Is McAfee aware of this?

 

aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 12

Re: How to upgrade EPO to Log4j 2.15

please open a request with support to get an answer to this one

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 12

Re: How to upgrade EPO to Log4j 2.15

They are working on updating the security bulletin about this to include this type info and it may be released today.  Yes, we are aware of it and working on it.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 12

Re: How to upgrade EPO to Log4j 2.15

The fix has been released as a hotfix available in software manager.  This is only valid for cu11 and release notes contain the instructions for installing this.  They are also in KB95109.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community