Start a conversation Sign in
Start a conversation
  1. Quark Publishing Platform
  2. QPP - Technical Support
  3. Public Articles

Steps for the deployment of the hotfix for Log4j 1.x vulnerabilities in Quark Publishing Platform

Background: Log4Shell vulnerable jars were found, which may trigger false positives in vulnerability scanners, below hotfix will fix the same.

Applies: Quark Publishing Platform 14.x (QPP)
Solution: Below are instructions to apply the hotfix in the Quark Publishing Platform
 
  1. Stop QPP Server and ensure that there are no instances of QPP Server running in the task manager.
  2. Replacing Old jar files with new jar files:
    1. Navigate to the folder “[$Quark Publishing Platform Installation]\dependencies”. Example: C:\Program Files\Quark\Quark Publishing Platform\Server\dependencies
    2. Take a backup of the following jars : log4j-1.2.17.jar , slf4j-api-1.7.2.jar and slf4j-log4j12-1.7.12.jar. present in “[$Quark Publishing Platform Installation]\dependencies”.
    3. Delete the following jars from following locations :  
          1. log4j-1.2.17.jar , slf4j-api-1.7.2.jar and slf4j-log4j12-1.7.12.jar present in “[$Quark Publishing Platform Installation]\dependencies”.
          2. log4j-1.2.17.jar from “[$Quark Publishing Platform Installation]\Database\sqlserver\Update\lib”. if exists
          3. log4j-1.2.17.jar from “[$Quark Publishing Platform Installation]\Database\oracle\Update\lib”. if exists.
    4. Copy below jar files from the folder “Log4j_1.2.19_HotFix\Log4J_1.2.19” of the provided hotfix to following locations : 
        1. Copy reload4j-1.2.19.jar to “[$Quark Publishing Platform Installation]\dependencies”.
        2. Copy slf4j-api-1.7.35.jar to “[$Quark Publishing Platform Installation]\dependencies”.
        3. Copy slf4j-reload4j-1.7.35.jar to “[$Quark Publishing Platform Installation]\dependencies”.
        4. Copy reload4j-1.2.19.jar to “[$Quark Publishing Platform Installation]\Database\sqlserver\Update\lib”, if exists.
        5. Copy reload4j-1.2.19.jar to “[$Quark Publishing Platform Installation]\Database\oracle\Update\lib, if exists.
  3. Modify wrapper.conf to adhere the new version of log4j and slf4j jar files:
                a) Take backup of wrapper.conf placed at “[$Quark Publishing Platform Installation]\”    
                 E.g.C:\Program Files\Quark\Quark Publishing Platform\ Server\wrapper.conf
             b) Edit wrapper.conf placed at “[$Quark Publishing Platform Installation]\” and Search for the following:
                     i)Search for text log4j-1.2.17.jar and replace it with reload4j-1.2.19.jar
                    ii)Search for text slf4j-api-1.7.2.jar and replace it with slf4j-api-1.7.35.jar.
                   iii)Search for text slf4j-log4j12-1.7.12.jar and replace it with slf4j-reload4j-1.7.35.jar. 
 
4. Start QPP Server and verify the logging being going on in the log files placed at “[$Quark Publishing Platform Installation]\log\” folder.
                          
Choose files or drag and drop files
sf_kb_import
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments