How to mitigate the Log4j vulnerability on your Fastvue Reporter server

Update – 14th February 2022: If your vulnerability scanner is detecting the log4j-core-*.jar file, you may be able to resolve the issue by deleting the problematic class files within this .jar file. We’ve had confirmation that this process works for the Nessus Vulnerability Assessment tool.

To do this:

1. Install 7Zip: https://www.7-zip.org/download.html

2. In Fastvue Reporter, go to Settings | Data Storage and note the data location.

3. Stop the Fastvue Reporter service in services.msc

4. Open a cmd prompt in administrator mode, and cd to the Data.elastic\lib folder within the data location. For example, if you’re using Fastvue Reporter for SonicWall:

   e.g> cd "C:\ProgramData\Fastvue\Reporter for SonicWall\Data.elastic\lib"

5. Then enter:

   for /R %f in (*log4j-core*.jar) do "C:\program Files\7-Zip\7z" d "%f" org/apache/logging/log4j/core/lookup/JndiLookup.class

   The result should look like:

   Open archive: C:\ProgramData\Fastvue\Reporter for SonicWall\Data.elastic\lib\log4j-core-2.11.1.jar
   --
   Path = C:\ProgramData\Fastvue\Reporter for SonicWall\Data.elastic\lib\log4j-core-2.11.1.jar
   Type = zip
   Physical Size = 1607947
   Updating archive: C:\ProgramData\Fastvue\Reporter for SonicWall\Data.elastic\lib\log4j-core-2.11.1.jar
   Delete data from archive: 1 file, 2937 bytes (3 KiB)
   Keep old data in archive: 75 folders, 1073 files, 3528327 bytes (3446 KiB)
   Add new data to archive: 0 files, 0 bytes
   Files read from disk: 0
   Archive size: 1606391 bytes (1569 KiB)
   Everything is Ok

Update – 29th Decmeber 2021: We have publicly released a new build for all Fastvue Reporter applications that starts Elasticsearch with the JVM property that mitigates the Log4J vulnerability in Elasticsearch 5.6.14 (the version that Fastvue Reporter uses). Please see our release notes page for information and download URLs.

We are unable to update the version of Elasticsearch used in Fastvue Reporter at this point in time due to compatibility and performance reasons, so Fastvue Reporter will, unfortunately, continue to trigger vunerability scanners. However if you update to our latest version, and you also add the environment variable described in the article below, the vulnerability will be mitigated as per the advice from Elastic.

Updating the version of Elasticsearch used by Fastvue Reporter is on our longer-term roadmap, but we cannot provide an ETA at this point in time.

Update – 20th Decmeber 2021: Elastic have now confirmed that the version of Elasticsearch used by Fastvue Reporter (5.6.14) does not use the Java Security Manager mentioned in the update below. This means you must follow the steps below to add the environment variable and restart the Fastvue Reporter service. This starts Elasticsearch with the JVM property that mitigates the vulnerability. Fastvue will release an update soon that launches Elasticsearch with the JVM property by default.

Update – 12th December 2021: Elastic have since downgraded the issue saying”Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager” which is good news:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

However, we still recommend adding the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to your servers. Especially if you have other services installed that could also be using log4j under the hood. There are many of them out there!

But at this stage, it looks like running Fastvue Reporter, even without the environment variable is very low risk.

If you’re in the infosec space, you have no doubt heard about the Log4j vulnerability that is setting the internet on fire right now.

Fastvue Reporter uses Elasticsearch as its database, which uses Log4j for its own diagnostic logging.

Elastic is currently investigating the issue and we will update Fastvue Reporter asap, but in the meantime, we recommend adding an environment variable to your Fastvue Server in order to mitigate the vulnerability.

To do this:

1. Log into the server running Fastvue Reporter

2. Right-click the Start button and select System.

3. In the Settings window that appears, under Related Settings, click System Info.

4. In the System window that appears, on the left side, click Advanced system settings.

5. In the System Properties dialog that appears, under the Advanced tab, click the Environment Variables… button.

6. In the Environment Variables dialog, under System variables, click New…

7. Set Variable name to LOG4J_FORMAT_MSG_NO_LOOKUPS

8. Set Variable value to true

9. Click OK on each dialog until you’re back to the System window, which can now be closed.

10. Restart the Fastvue Reporter service in services.msc. This in turn restarts the Elasticsearch service and initializes log4j with the new environment variable.

This short video shows how to mitigate the Log4j vulnerability on Windows servers running Fastvue Reporter.

Please follow these steps as soon as possible to avoid the Log4j vulnerability causing issues in your infrastructure.

We will update this article when a patch for Fastvue Reporter is available.

To stay updated with Fastvue’s product and security updates, keep an eye on our Release Notes, subscribe to our mailing list making sure you check the Product Updates & News checkbox, and/or follow us on LinkedIn, Twitter or Facebook.