Skip to main content

Steps to remediate Log4j 2 CVE-2021-44228 & CVE-2021-45046 without upgrade

While the following steps will mitigate the vulnerability, reported by CVE-2021-44228 & CVE-2021-45046, staying on an older version will leave you vulnerable to other CVEs that have been addressed since then. Therefore, we recommend upgrading to the latest software version.

If you are not able to upgrade to iGrafx Platform 17.8.3.832.3680 or newer to remediate the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://nvd.nist.gov/vuln/detail/CVE-2021-45046 and your platform version is at least 16.2, please follow these steps:

  1. Find your iGrafx Platform installation directory image2021-12-14_10-57-39.png

  2. Navigate to the folder apache-tomcat-x.x.xx\igrafx\iGrafxWebApp\WEB-INF\lib image2021-12-14_10-58-26.png

  3. Locate the file log4j-core-2.5.jar (version number may differ) and rename it to log4j-core-2.5.zip image2021-12-14_10-59-59.png

    If you cannot rename the file, make sure that File name extensions are enabled: image2021-12-19_19-30-48.png

  4. Extract the file to a directory. It should look similar to this image2021-12-14_11-1-7.png

  5. Navigate to the folder org\apache\logging\log4j\core\lookup and delete the file JndiLookup.class image2021-12-14_11-2-14.png

  6. Go back to the root folder and re-ZIP the library by selecting all 6 folders/files, right click and select Send to  → Compressed (zipped) folder image2021-12-14_11-4-2.png

  7. Rename the resulting ZIP file back to log4j-core-2.5.jar image2021-12-14_11-4-54.png

  8. Move the log4j-core-2.5.jar file back into the apache-tomcat-x.x.xx\igrafx\iGrafxWebApp\WEB-INF\lib folder and delete your temporarily unzipped folder.

  9. Delete the log4j-core-2.5.zip file in that same folder image2021-12-14_11-7-31.png

  10. Restart your platform

Info: 

There is no negative impact of removing that class from the logs as the platform is not using that functionality.