Are we safe from log4j vulnerability

rocketman

As the subject says. Don’t know much about Java-out of my depth - here but I just received an alert from the wordfence people (worfence protects my Wordpress sites)

karelh

Hi all,

Some good information on it. I trust support will have a look at it to see if we are vulnerable and hopefully release an update with the new version. We are busy running vulnerability scans now to confirm.

https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/

himanshu

Yes, We also looking into this and upgrading the necessary jars files. It looks like aware currently shipping a quite old version (1.2) and we are upgrading our system with latest 2.15 (which include this bug fix too).

there are two jars which need to placed under lib folder.

log4j-api-2.15.0.jar
log4j-core-2.15.0.jar

and remove the old one log4j1.2.jar

Hopefully, In future aware will bundle latest jars must be updated.

Jaymer

applies to us ONLY if this is true?

"According to Apache’s advisory, all Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled."

1) Himanshu said we are Version 1.2. So we are not even using an Affected version?
2) Do we know if this even applies to our aware installs? It also says this:
"According to a translated technical blog post, JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector."

So easy instructions posted here should tell us how to easily check which JDK is installed. It may not affect us.

himanshu

Latest AwareIM version uses Java 12.x and I do not found any harm to be updated with latest lib.

Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.

aware_support

We do not think that this vulnerability affects Aware IM applications, but to be safe we will be testing Aware IM with the new version. If everything is OK we will include the new library in the official distribution.

In the meantime feel free to replace the old jar manually as Himanshu suggests.

himanshu

Might be useful to read..

Update: since August 2015, Log4j 1.x is officially End of Life and it is recommended to upgrade to Log4j 2. Update 2: Log4j 1.2 is broken in Java 9.

Community support: Log4j 1.x is not actively maintained, whereas Log4j 2 has an active community where questions are answered, features are added and bugs are fixed.

Async Loggers - performance similar to logging switched off

Custom log levels

Automatically reload its configuration upon modification without losing log events while reconfiguring.

Java 8-style lambda support for lazy logging

Log4j 2 is garbage-free (or at least low-garbage) since version 2.6

Filtering: filtering based on context data, markers, regular expressions, and other components in the Log event. Filters can be associated with Loggers. You can use a common Filter class in any of these circumstances.

Plugin Architecture - easy to extend by building custom components

Supported APIs: SLF4J, Commons Logging, Log4j-1.x and java.util.logging

Log4j 2 API separate from the Log4j 2 implementation. API supports more than just logging Strings: CharSequences, Objects and custom Messages. Messages allow support for interesting and complex constructs to be passed through the logging system and be efficiently manipulated. Users are free to create their own Message types and write custom Layouts, Filters and Lookups to manipulate them.

Concurrency improvements: log4j2 uses java.util.concurrent libraries to perform locking at the lowest level possible. Log4j-1.x has known deadlock issues.

Configuration via XML, JSON, YAML, properties configuration files or programmatically.

Be aware

log4j2.xml and log4j2.properties formats are different from the Log4j 1.2 configuration syntax
Log4j 2 is not fully compatible with Log4j 1.x: The Log4j 1.2 API is supported by the log4j-1.2-api adapter but customizations that rely on Log4j 1.2 internals may not work.
Java 6 required for version 2.0 to 2.3. Java 7 is required for Log4j 2.4 and later.

intra

As the fun never stops at just one vulnerability, a second has been found with Log4J.

2.16.0 is now the recommendation.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Jaymer

fine, but where exactly do we get this new file?

cishpix

Jaymer wrote
fine, but where exactly do we get this new file?

You can download it from https://logging.apache.org/log4j/2.x/download.html directly

chris__29

You can verify issues using the log4j-detector

https://github.com/mergebase/log4j-detector

Simple to use

Usage: java -jar log4j-detector-2021.12.15.jar [--verbose] [paths to scan...]

EG:

C:\AwareIM\JDK\bin\java -jar log4j-detector-2021.12.15.jar C:\AwareIM

You should get something like this

C:\AwareIM\ConfigTool\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 OLD 😐
C:\AwareIM\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 OLD 😐
C:\AwareIM\lib\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 OLD 😐
C:\AwareIM\Tomcat\webapps\AwareIM\WEB-INF\lib\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 OLD 😐
C:\AwareIM\Tomcat\webapps\AwareIM\WEB-INF\lib\log4j-1.2.8.jar contains Log4J-1.x <= 1.2.17 OLD 😐
C:\AwareIM\VAR\binlinux\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 OLD 😐
C:\AwareIM\VAR\binmac\CP\Eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 OLD 😐
C:\AwareIM\VAR\binwin\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 OLD 😐

PointsWell

Be aware that following the release of 2.15 the fix was determined as incomplete and 2.16 was released.

Then another issue was identified in 2.16 so 2.17. has been released

intra

The Xmas gift that just keeps giving !!

https://nvd.nist.gov/vuln/detail/CVE-2021-44832