May 20, 2022

CVE-2021-44228 Multiple eptos Releases Security Advisory – Apache Log4j2 not protected against attacker controlled LDAP and other JNDI related endpoints Skip to end of metadata

by ParWebAcc-1 in eptos™
Summary

CVE-2021-44228  – Apache Log4j2 <=2.14.1 not protected against attacker controlled LDAP and other JNDI related endpoints

Update Bulletin by 17.12.2021 15:00

Advisory Release Date 9th December 2021
Products
  • all eptos modules
  • eptos SearchEngine
Affected Releases eptos modules – all releases 5.3 – 6.1

eptos Search Engine 2.0 – 2.1

Fixed Releases
  • eptos 6.1.1
  • Search Engine 2.1.1
CVE ID CVE-2021-44228CVE-2021-45046
Issue ID

BASE-1388 – Vulnerability Log4Shell: Remote Code Execution on log4j2 – CVE-2021-44228 RESOLVED BASE-1393 – Vulnerability Bug CVE-2021-44228 in Apache Log4j 2.15.0 OPEN

Further information https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

https://www.wired.com/story/log4j-flaw-hacking-internet/

https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/

Overview

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true”.

Summary of Vulnerability

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default

eptos core is using impacted Log4j2 2.14 starting from Release 6.1

eptos APIs are using spring-boot that has a dependency to log4j-api 2.13 but by default the log4j2 part is not enabled (reference) – starting from Release 6.0

Since eptos is not using JNDI lookups,  Paradine recommends disabling JNDI lookup using the startup parameters  -Dlog4j2.formatMsgNoLookups=true

The deactivation of the JNDI lookup is a precautionary measure to avoid that 3rd party libraries entail Log4j2.

Software Fixes

  • eptos 6.0.1 updated to the unaffected release 2.15.0 of Log4j2
  • eptos 6.1.1 updated to the unaffected release 2.15.0 of Log4j2
  • eptos email collector 6.1.1 (latest, 2021) updated to the unaffected release 2.15.0 of Log4j2
  • eptos Search Engine 2.1.1, will be updated to latest 2.15.0 of Log4j2

What you need to do

  • Paradine recommends that you upgrade to the latest Long Term Support release eptos 6.1.1.
  • Paradine recommends that you upgrade to the latest Long Term Support release Search Engine 2.1.1.
  • Please consult your Solution Manager

Mitigation

For mitigation you can

  • change startup parameters of programs impacted releases by adding  -Dlog4j2.formatMsgNoLookups=true where the JVM arguments are defined (e.g. in eptos-config map or under deployment for the pod itself)
  • restart the system
  • for microservices the sustaining way of fixing is installing new releases of API containers

Support

  • If you have questions or concerns regarding this advisory, check support@paradine,at and add CVE-2021-44228 or CVE-2021-45046 to your issue description.

Leave a Reply

Your email address will not be published. Required fields are marked *