On December 9th, 2021, an exploit was discovered in the widely used Apache Log4j logging libraries. This bug exposes a class of security vulnerability known as a Remote Code Execution Vulnerability. This package is widely used in Java-based enterprise applications and cloud services across verticals and institutions worldwide. Mango also uses this package.
Following the publication of this information by Apache, Radix has produced two high-priority security updates:
• 4.2.4 which is an update to the 4.2 series of Mango.
• 3.7.9 is an update to the legacy 3.7 series of Mango.
All customers, specifically those with public IP-facing connections, should immediately upgrade to mitigate the risk of this exploit.
For customers that are unable for technical reasons to upgrade to these newest versions, the is a manual alternative that can be followed below depending on your version.
Further public information can be found on this exploit here: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
Version: Mango 4.0+
Linux Environments
If you are starting Mango via start-mango.sh or our supplied systemd mango.service file:
- If you do not have start-options.sh in your data directory:
- Copy start-options.sh from Mango installation directory to your data directory
- Edit start-options.sh and add the following line:
MA_JAVA_OPTS="$MA_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"
- Restart Mango
Verify that Mango loaded your start-options.sh file and the java process was started with the -Dlog4j2.formatMsgNoLookups=true option:
ps aux | grep java
If you are not using Mango's supplied start-mango.sh or mango.service file to start Mango:
- Set the Java system property log4j2.formatMsgNoLookups=true (This is done by providing the following argument to java -Dlog4j2.formatMsgNoLookups=true)
- Restart Mango
Windows Environments
- Ensure the java property log4j2.formatMsgNoLookups is set to true. This is done by adding -Dlog4j2.formatMsgNoLookups=true to the Java command that starts Mango.
- Restart Mango
Version: Mango 3.6-3.7
Linux Environments
The fix is dependent on how Mango is being started. By default Mango will use the ma.sh start command, if you are using this command:
- Add an extension to the bin/ext-enabled folder that is an executable file with this content:
#!/bin/bash
case "$1" in
init)
#Disable lookups during message formatting
JAVAOPTS="$JAVAOPTS -Dlog4j2.formatMsgNoLookups=true"
;;
esac
- Restart Mango
Windows Environments
- Ensure the java property log4j2.formatMsgNoLookups is set to true. This is done by adding -Dlog4j2.formatMsgNoLookups=true to the Java command that starts Mango.
- Restart Mango
If you have questions please contact Radix IOT customer support at support@radixiot.com