Skip to content
Go to Customer Portal
  • There are no suggestions because the search field is empty.

xPlore - Log4J2 Security Patching 

The Log4j third-party component used by Documentum xPlore to keep a record of activity within the application is affected by the Critical RCE Vulnerability: log4j - CVE-2021-44228. A threat actor could potentially exploit this vulnerability to remotely execute unauthorized code on systems running Documentum Server.

Version:
16.4, 16.7, 16.7.1, 20.2,2 1.4

Resolution:

The log4j 2.x files are only used in the Contextual Context Engine (CCE) process. The CCE is a content recommendation system that adds contextual intelligence to the Documentum Server. CCE exposes its functionality as REST APIs. These REST APIs can be used by other Documentum software and custom applications to retrieve documents from the Documentum Server. For more information, please refer to the "OpenText™ Documentum™ Contextual Content Engine Installation and Administration Guide".  Please contact getsupport@metasource.com for additional assistance. 

If Contextual Context Engine (CCE) is deployed, follow the below steps:

  1. Download the latest available log4j2.17.x jar files from Apache. https://logging.apache.org/log4j/2.x/download.html

  2. Take the backup of cce.war from the application server location where it is deployed (under $XPLORE_HOME/contextual-content/)

  3. Stop the xPlore server (all IndexAgents and PrimaryDsearch and CPS ).

  4. Replace existing log4j 2.9.0 jars (log4j-api-2.9.1.jar,log4j-core-2.9.1.jar,log4j-slf4j-impl-2.9.1.jar,log4j-web-2.9.1.jar) located in cce.war/WEB-INF/lib with the latest downloaded jars (log4j-api-2.17.x.jar,log4j-core-2.17.x.jar,log4j-slf4j-impl-2.17.0.jar and log4j-web-2.17.x.jar), by simply deleting the 2.9.1 jars from the cce.war file, and add the 2.17.x jars.

  5. Start the xPlore server (all IndexAgents and PrimaryDsearch and CPS ).

If CCE is not deployed nor used you can:

1. remove the cce.war file
2. leave as is since it is never called as the log4j vulnerability will have no effect if it is not used nor deployed.
3. perform the updates as above.

21.4 Docker images can be pulled from OpenText registry using the below tags.

Docker/Kubernetes images include log4j 2.17 that addressed critical vulnerability. Images with 2.17.1 are planned as part of next release.

dctm-xplore-indexagent:21.4.0002_19397

dctm-xplore-cps:21.4.0002_19397

dctm-xplore-indexserver:21.4.0002_19397

dctm-xplore-cce:21.4.0002_19397

Docker images to be used for 20.2 release:
cce:20.2.0009_19397
indexagent:20.2.0009_19397
cps:20.2.0009_19397
indexserver:20.2.0009_19397

If xPlore is deployed separately (ie. not as single helm with client deployment), follow instructions given in "Documentum xPlore Cloud Deployment guide" for deployment/upgrade.

The above article was provided via OpenText and is being updated as needed.  If you cannot reach it, please let us know at getsupport@metasource.com and we will provide you with an updated copy as we all as update this KB Article. Below is the OT KBA: 

https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0723850