Start a conversation Sign in
Start a conversation
  1. QuarkXpress Server
  2. QuarkXPress Server - Technical Support
  3. Public Articles

Steps for the deployment of the hotfix for Log4j 2.x vulnerabilities in QuarkXPress Server

Background: Log4Shell vulnerable jars were found, which may trigger false positives in vulnerability scanners, below hotfix will fix the same.

Solution: Below is instructions to apply the hotfix in the QuarkXPress Server (QXPS)
 
  1. Stop QXPS Server and ensure that no instances of QXPSServerRenderer.exe are running in the task manager.
  2. Replace the old Log4j files with the new Log4J-XXX-2.17.1.jar files:
    1. Navigate to the folder “[$QXPS Installation]\dependencies” (C:\Program Files\Quark\QuarkXPress Server XXXX\dependencies)
    2. Take a backup of all the *.jar files whose name starts with “log4j-”. For example, 4 files for QXPS 2018 and QXPS 2020: log4j-1.2-api-XXX.jar, log4j-api-XXX.jar, log4j-core-XXX.jar, log4j-jcl-XXX.jar; and 2 files for QXPS 2019: log4j-api-XXX.jar, log4j-core-XXX.jar
    3. Delete all the .jar files whose name starts with “log4j-”. For example, 4 files for QXPS 2018 and QXPS 2020: log4j-1.2-api-XXX.jar, log4j-api-XXX.jar, log4j-core-XXX.jar, log4j-jcl-XXX.jar and 2 files for QXPS 2019: log4j-api-XXX.jar, log4j-core-XXX.jar
    4. Copy the following jar files from the folder “Log4j_2.17_HotFix\Log4J_2.17” in the provided hotfix to the folder “[$QXPS Installation]\dependencies” as explained in step 1.
      For all QXPS versions (QXPS 2018 to QXPS 2020):
      - log4j-api-2.17.1.jar
      - log4j-core-2.17.1.jar
      For QXPS 2018 and QXPS 2020 only:
      - log4j-1.2-api-2.17.1.jar
        log4j-jcl-2.17.1.jar
  1. Modify the file “wrapper.conf” to adhere to the new version of log4j jar files:
    1. Take a backup of the file wrapper.conf from “[$QXPS Installation]\” (C:\Program Files\Quark\QuarkXPress Server XXXX\ wrapper.conf)
    2. Edit the file wrapper.conf in [$QXPS Installation]\ and then search and replace the following four instances of the log4j references:
      For all QXPS versions (QXPS 2018 To QXPS 2020):
      - Replace text - log4j-api-XXX.jar with log4j-api-2.17.1.jar
      - Replace text - log4j-core-XXX.jar with log4j-core-2.17.1.jar
      For QXPS 2018 and QXPS 2020 only:
      - Replace text - log4j-1.2-api-XXX.jar with log4j-1.2-api-2.17.1.jar
      - Replace text - log4j-jcl-XXX.jar with log4j-jcl-2.17.1.jar
  2. Start QXPS Server and verify that the server is creating logs in the log files in [$QXPS Installation]\log\”.
    1. QXPS Log.log appears immediately after you have launched QXPS.
    2. QXPS Transaction Log.log appears when you send a publishing request to QXPS.
    3. QuarkXPress Server Fatal Log.log displays logs only when there is a fatal problem. For example, when you launch QXPS as an application while QXPS is already being running as a service.
Choose files or drag and drop files
sf_kb_import
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments