...
Gateway 5.4.1 (Swarm 9, 10, 11) and earlier doesn't use log4j2, it installs log4j-1.2.17.jar and as a result is unaffected
Gateway 6.0.0+ (Swarm 10, 11, 12) should apply the workaround below
Gateway 7.5+ (Swarm 14) can apply the workaround below or upgrade to Gateway 7.7.1-2 released 2021-12-16 (in the Swarm-v14.0-20211216 bundle) which updates log4j to 2.16.0, which resolves all known vulnerabilities.
The Gateway workaround involves two parts:
You will need to upgrade your JRE on the Gateway servers. Under CentOS 7 you can upgrade to the latest JRE by issuing
yum upgrade java-1.8.0-openjdk(which as of this writing should upgrade to 1.8.0_312). You can runjava -versionto confirm.Once your JRE is on the latest version, you will need to make the following change to the
/etc/sysconfig/cloudgatewayfile:JAVA_EXTRA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
Once the above two changes are made on each of your Gateway servers, you must then restart the Gateway service with systemctl restart cloudgateway. After that, you can run some simple tests to make sure Gateway is functioning properly.
...