Patch critical security vulnerabilities (CVE-2021-44832, -45105, -45046, and -44228)

Analytics Exchange uses Apache Log4j. As a result, it is affected by the Log4j critical security vulnerabilities listed below:

• CVE-2021-44832
• CVE-2021-45105
• CVE-2021-45046
• CVE-2021-44228

This list of vulnerabilities has grown as previous patches were found to be incomplete. We have a patch that will mitigate all of the above vulnerabilities in Analytics Exchange immediately.

What is this patch?

This patch is an official release from Apache, Log4j's provider. It will mitigate CVE-2021-44832, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228 in Analytics Exchange immediately.

Which versions of Analytics Exchange are vulnerable?

All versions of Analytics Exchange are affected. Regardless of which version you have installed, we recommend addressing the vulnerability situation now.

The table below explains the upgrade paths for different versions of Analytics Exchange.

Analytics Exchange version currently installed	Action	Result
Analytics Exchange 15.1.0	Manually patch version 15.1.0 using log4j-2.17.1-patch-ax.zip Additional information and instructions continue below. Note Using the Analytics Exchange installer to upgrade from version 15.1.0 to 15.1.1 is not supported. Use the manual patch.	Analytics Exchange 15.1.0 patched, no need to upgrade to 15.1.1
Analytics Exchange 14.x	Run the AX Server 15.1.1 installer (ACLAX1511_Server_<edition>.exe) If your organization also uses AX Engine Node, run the AX Engine Node 15.1.1 installer (ACLAX1511_EngineNode_<edition>.exe) For more information, see Upgrading AX Server.	Analytics Exchange upgraded to version 15.1.1
Analytics Exchange 13	Contact Support for assistance. Note You cannot use the Analytics Exchange 15.1.1 installer to upgrade directly from version 13 to 15.1.1.

How to install the patch

You need to install the patch on the server where AX Server is installed. You must also install the patch on any additional server where AX Engine Node is installed.

To install the patch:

1. Stop the AX Server Windows services.
2. Replace the files that have the vulnerability.
3. Delete the log files.
4. Restart the AX Server Windows services.

Detailed instructions are below.

1. Stop the AX Server Windows services

1. On the server where AX Server or AX Engine Node is installed, open the Services window from the Administrative Tools dialog box.
2. In the list of services, right-click each service below and select Stop.

   Note

   You must stop the services in the following order:

   • Analytics Exchange Connector
   • ACL Analytics Exchange Service
   • Analytics Exchange Database (PostgreSQL installations only)

   AX Engine Node has only two of the three services listed above. It does not have the Analytics Exchange Database service.

2. Replace the files that have the vulnerability

For AX Server, you can install the patch manually or use the provided batch script.

For AX Engine Node you must use the manual method.

Batch script method

1. Download this zipped folder to the server where AX Server is installed.

   The folder contains six *.jar files and a batch script.

2. Unzip the folder to an easy location, like C:/temp/patch.
3. Open a Windows command prompt. Administrator mode is not necessary.
4. Switch to the folder you just created.

   For example, if you unzipped to C:/temp/patch, type:
   

   cd c:\temp\patch

5. Run the batch script from the folder you created.
   • If AX Server was installed in its default location (C:\ACL\APP\Tomcat), type:
     

     .\do_replace.bat

   • If AX Server was installed somewhere else, specify the location in the command. For example, if AX Server is installed at D:\ACL\APP\Tomcat, type:
     

     .\do_replace.bat D:\ACL\APP\Tomcat

Manual method

1. Download this zipped folder to the server where AX Server or AX Engine Node is installed. The folder contains six *.jar files.
2. Unzip the folder.
3. On the server, navigate to the Tomcat installation folder.

   The default location is C:\ACL\APP\Tomcat, but Tomcat might have been installed elsewhere.

4. In the subfolders listed below, replace all *.jar files that have log4j in their name with the new versions of the files that you just downloaded. The new versions have 2.17.1 in the file name.

   Note

   To patch AX Engine Node, you need to replace only the *.jar files in C:\ACL\App\Tomcat\axlib. The other listed subfolders are not applicable for AX Engine Node.

   Subfolder	Action
   C:\ACL\App\Tomcat\axlib	Replace all six log4j *.jar files in the folder.
   C:\ACL\App\Tomcat\webapps\aclconfig\WEB-INF\lib	Replace log4j-slf4j-impl-<version>.jar with log4j-slf4j-impl-2.17.1.jar.
   C:\ACL\App\Tomcat\webapps\auditexchange\WEB-INF\lib	Replace all five log4j *.jar files in the folder. Note There is no log4j-jcl-<version>.jar file in this folder to replace.
   C:\ACL\App\Tomcat\webapps\gateway-backend\WEB-INF\lib	Replace log4j-slf4j-impl-<version>.jar with log4j-slf4j-impl-2.17.1.jar.
   C:\ACL\App\Tomcat\webapps\gateway\WEB-INF\lib	Replace all four log4j *.jar files in the folder. Note There are no log4j-slf4j-impl-<version>.jar or log4j-jcl-<version>.jar files in this folder to replace.
   C:\ACL\App\Tomcat\webapps\cas\WEB-INF\lib	Replace all five log4j *.jar files in the folder. Note There is no log4j-1.2-api-<version>.jar file in this folder to replace.

3. Delete the log files

Open the C:\ACL\App\Tomcat\logs folder and delete all of the log files it contains.

4. Restart the AX Server Windows services

1. Open the Services window from the Administrative Tools dialog box.
2. In the list of services, right-click each service below and select Start.

   Note

   You must start the services in the following order:

   • Analytics Exchange Database (PostgreSQL installations only)
   • ACL Analytics Exchange Service
   • Analytics Exchange Connector

   AX Engine Node has only two of the three services listed above. It does not have the Analytics Exchange Database service.

3. Check the log files in C:\ACL\App\Tomcat\logs to ensure there are no errors.

You may also need to patch Analytics

If you have Analytics Exchange installed, your organization is almost certainly using Analytics, the desktop application. Those installations of Analytics should also be patched or upgraded. For help, see the instructions to patch Analytics.