RSA recently released the announcement of patch upgrade v11.6.1.3 which is a patch for the Log4j library within the NetWitness platform. We are currently on v11.6.1.0 but do we need to upgrade to v11.6.1.3 if we have already performed the below patch released back in December for the Log4j vulnerability:
Mitigation Steps:
In order to mitigate this in affected NetWitness deployments, NetWitness administrators should perform the following:
On the NetWitness Admin Server Host, append the switches "-Dlog4j2.formatMsgNoLookups=true" & "-Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false" to JAVA_OPTS for the following configuration files:
/etc/netwitness/admin-server/admin-server.conf (also update the same in /var/netwitness/config-management/cookbooks/launch/rsa-admin-server/templates/default/admin-server.conf.erb)
/etc/netwitness/security-server/security-server.conf (also update the same in /var/netwitness/config-management/cookbooks/launch/rsa-security-server/templates/default/security-server.conf.erb)
For jetty, the switches can be appended to JAVA_OPTIONS for the following:
/etc/default/jetty (please edit jetty.user, if this is already in use for overrides)
After performing these actions, restart jetty, admin-server and security-server as follows:
systemctl restart jetty
systemctl restart rsa-nw-admin-server
systemctl restart rsa-nw-security-server
Please advise. Thanks.
