...
Gateway 5.4.1 (Swarm 9, 10, 11) and earlier doesn't use log4j2, it installs log4j-1.2.17.jar and as a result is unaffected
Gateway 6.0.0+ (Swarm 10, 11, 12) should apply the workaround below
Gateway 7.5+ (Swarm 14) can apply the workaround below or upgrade to Gateway 7.7.1-2 released 2021-12-16 (in the Swarm-v14.0-20211216 bundle) which updates log4j to 2.16.0, which resolves all known vulnerabilities.
The Gateway workaround involves two parts:
You will need to upgrade your JRE on the Gateway servers. Under CentOS 7 you can upgrade to the latest JRE by issuing
yum upgrade java-1.8.0-openjdk
(which as of this writing should upgrade to 1.8.0_312). You can runjava -version
to confirm.Once your JRE is on the latest version, you will need to make the following change to the
/etc/sysconfig/cloudgateway
file:JAVA_EXTRA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
Once the above two changes are made on each of your Gateway servers, you must then restart the Gateway service with systemctl restart cloudgateway
. After that, you can run some simple tests to make sure Gateway is functioning properly.
...