Are we safe from log4j vulnerability

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
rocketman
Posts: 1239
Joined: Fri Jan 02, 2009 11:22 pm
Location: Preston UK
Contact:

Are we safe from log4j vulnerability

Post by rocketman »

As the subject says. Don’t know much about Java-out of my depth - here but I just received an alert from the wordfence people (worfence protects my Wordpress sites)
Rocketman

V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
karelh
Posts: 86
Joined: Wed Oct 26, 2016 10:20 pm

Re: Are we safe from log4j vulnerability

Post by karelh »

Hi all,

Some good information on it. I trust support will have a look at it to see if we are vulnerable and hopefully release an update with the new version. We are busy running vulnerability scans now to confirm.

https://www.rapid7.com/blog/post/2021/1 ... che-log4j/
himanshu
Posts: 722
Joined: Thu Jun 19, 2008 6:24 am
Location: India
Contact:

Re: Are we safe from log4j vulnerability

Post by himanshu »

Yes, We also looking into this and upgrading the necessary jars files. It looks like aware currently shipping a quite old version (1.2) and we are upgrading our system with latest 2.15 (which include this bug fix too).

there are two jars which need to placed under lib folder.

log4j-api-2.15.0.jar
log4j-core-2.15.0.jar

and remove the old one log4j1.2.jar

Hopefully, In future aware will bundle latest jars must be updated.
From,
Himanshu Jain


AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: Are we safe from log4j vulnerability

Post by Jaymer »

applies to us ONLY if this is true?

"According to Apache’s advisory, all Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled."

1) Himanshu said we are Version 1.2. So we are not even using an Affected version?
2) Do we know if this even applies to our aware installs? It also says this:
"According to a translated technical blog post, JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector."

So easy instructions posted here should tell us how to easily check which JDK is installed. It may not affect us.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
himanshu
Posts: 722
Joined: Thu Jun 19, 2008 6:24 am
Location: India
Contact:

Re: Are we safe from log4j vulnerability

Post by himanshu »

Latest AwareIM version uses Java 12.x and I do not found any harm to be updated with latest lib.

Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.
From,
Himanshu Jain


AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: Are we safe from log4j vulnerability

Post by aware_support »

We do not think that this vulnerability affects Aware IM applications, but to be safe we will be testing Aware IM with the new version. If everything is OK we will include the new library in the official distribution.

In the meantime feel free to replace the old jar manually as Himanshu suggests.
Aware IM Support Team
himanshu
Posts: 722
Joined: Thu Jun 19, 2008 6:24 am
Location: India
Contact:

Reasons to upgrade from Log4j 1.x to Log4j 2

Post by himanshu »

Might be useful to read..

Update: since August 2015, Log4j 1.x is officially End of Life and it is recommended to upgrade to Log4j 2. Update 2: Log4j 1.2 is broken in Java 9.
  • Community support: Log4j 1.x is not actively maintained, whereas Log4j 2 has an active community where questions are answered, features are added and bugs are fixed.
  • Async Loggers - performance similar to logging switched off
  • Custom log levels
  • Automatically reload its configuration upon modification without losing log events while reconfiguring.
  • Java 8-style lambda support for lazy logging
  • Log4j 2 is garbage-free (or at least low-garbage) since version 2.6
  • Filtering: filtering based on context data, markers, regular expressions, and other components in the Log event. Filters can be associated with Loggers. You can use a common Filter class in any of these circumstances.
  • Plugin Architecture - easy to extend by building custom components
  • Supported APIs: SLF4J, Commons Logging, Log4j-1.x and java.util.logging
  • Log4j 2 API separate from the Log4j 2 implementation. API supports more than just logging Strings: CharSequences, Objects and custom Messages. Messages allow support for interesting and complex constructs to be passed through the logging system and be efficiently manipulated. Users are free to create their own Message types and write custom Layouts, Filters and Lookups to manipulate them.
  • Concurrency improvements: log4j2 uses java.util.concurrent libraries to perform locking at the lowest level possible. Log4j-1.x has known deadlock issues.
  • Configuration via XML, JSON, YAML, properties configuration files or programmatically.
Be aware
  • log4j2.xml and log4j2.properties formats are different from the Log4j 1.2 configuration syntax
    Log4j 2 is not fully compatible with Log4j 1.x: The Log4j 1.2 API is supported by the log4j-1.2-api adapter but customizations that rely on Log4j 1.2 internals may not work.
    Java 6 required for version 2.0 to 2.3. Java 7 is required for Log4j 2.4 and later.
From,
Himanshu Jain


AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: Are we safe from log4j vulnerability

Post by intra »

As the fun never stops at just one vulnerability, a second has been found with Log4J.

2.16.0 is now the recommendation.

https://cve.mitre.org/cgi-bin/cvename.c ... 2021-45046
Avid Linux user....
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: Are we safe from log4j vulnerability

Post by Jaymer »

fine, but where exactly do we get this new file?
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
cishpix
Posts: 183
Joined: Fri Nov 06, 2015 5:07 am
Location: Indonesia

Re: Are we safe from log4j vulnerability

Post by cishpix »

Jaymer wrote: Wed Dec 15, 2021 5:56 am fine, but where exactly do we get this new file?
You can download it from https://logging.apache.org/log4j/2.x/download.html directly
Regards,

Suwandy
-----------------
Kisaran - Indonesia
chris__29
Posts: 20
Joined: Wed Dec 15, 2021 11:44 pm
Location: Australia

Re: Are we safe from log4j vulnerability

Post by chris__29 »

You can verify issues using the log4j-detector

https://github.com/mergebase/log4j-detector

Simple to use

Usage: java -jar log4j-detector-2021.12.15.jar [--verbose] [paths to scan...]

EG:

C:\AwareIM\JDK\bin\java -jar log4j-detector-2021.12.15.jar C:\AwareIM

You should get something like this

C:\AwareIM\ConfigTool\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
C:\AwareIM\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
C:\AwareIM\lib\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
C:\AwareIM\Tomcat\webapps\AwareIM\WEB-INF\lib\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
C:\AwareIM\Tomcat\webapps\AwareIM\WEB-INF\lib\log4j-1.2.8.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
C:\AwareIM\VAR\binlinux\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
C:\AwareIM\VAR\binmac\CP\Eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
C:\AwareIM\VAR\binwin\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
AwareIM 8.8
MySQL, MSSQL
MS Server
Australia
PointsWell
Posts: 1457
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Log4J v2.17

Post by PointsWell »

Be aware that following the release of 2.15 the fix was determined as incomplete and 2.16 was released.

Then another issue was identified in 2.16 so 2.17. has been released
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: Are we safe from log4j vulnerability

Post by intra »

The Xmas gift that just keeps giving !!

https://nvd.nist.gov/vuln/detail/CVE-2021-44832
Avid Linux user....
Post Reply