Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Log4j 2.15.0 fixing remote execution (CVE-2021-44228)

Description

None

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Adam Dickmeiss December 13, 2021 at 9:55 AM
Edited

PR for https://folio-org.atlassian.net/browse/OKAPI-1047#icft=OKAPI-1047 removes JNDI and does not affect context logging , so everything appears to be fine.

But it is a brute force approach.

https://issues.apache.org/jira/browse/LOG4J2-3198?focusedCommentId=17457333&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17457333

To me it seems log4j2 may still have an issue.

Jakub Skoczen December 13, 2021 at 9:26 AM

My understanding is that the vulnerability is with remote LDAP not with local so the log4j team only disabled remote LDAP look ups using JNDI (https://issues.apache.org/jira/browse/LOG4J2-3201)

It seems that we also have a problem with "local" JNDI which can lead to DoS, correct? If so, I agree that it would be best to completely disable any JNDI lookup. It would be good to keep the context-based logging though – it allows us to configure the log lines in one place and should be completely safe.

Adam Dickmeiss December 12, 2021 at 9:46 PM
Edited

Disabling the tenant logging in okapi-core/src/main/resources/log4j2.properties fixes this..

https://github.com/folio-org/okapi/blob/105122d474347a9cae54a316a057b5ca3eedb954/okapi-core/src/main/resources/log4j2.properties#L15

https://github.com/folio-org/okapi/blob/master/okapi-common/src/main/java/org/folio/okapi/common/logging/FolioLoggingContext.java

The jndi pattern lookup is apparently still in effect with these rules.. Perhaps we can configure ourselves out of it .. or the log4j2 team "missed" this one! Note that this type of logging is used in some RMB modules too (log4j2.properties in RMB is similar).

https://issues.apache.org/jira/browse/LOG4J2-3202

Adam Dickmeiss December 12, 2021 at 4:46 PM

See https://folio-org.atlassian.net/browse/OKAPI-1048#icft=OKAPI-1048 as for why Hazelcast makes a log4j (1) logger. However, even if https://folio-org.atlassian.net/browse/OKAPI-1048#icft=OKAPI-1048 merged, it does NOT fix this issue. So I don't think log4j (1) is in use is the problem here. Rather something enables jndi and localhost and so I can only think of a solution similar to https://folio-org.atlassian.net/browse/OKAPI-1047#icft=OKAPI-1047 as well.

Adam Dickmeiss December 12, 2021 at 4:19 PM

Confused, because hazelcast 4.2.2 uses log4j2 https://docs.hazelcast.org/docs/4.2.2/javadoc/ .. OK Okapi uses 4.0.2 at the moment, but upgrading doesn't change this.

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Core: Platform

Fix versions

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created December 10, 2021 at 11:35 PM
Updated December 13, 2021 at 4:16 PM
Resolved December 13, 2021 at 12:02 PM
Configure
TestRail: Cases
TestRail: Runs

Flag notifications