Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: remove wrong statement about 2.16.0, see https://issues.folio.org/browse/MODCONF-103 for details

Table of Contents

FOLIO is affected by the Log4Shell security issue (CVE-2021-44228 and CVE-2021-45046) and a denial of service attack issue (CVE-2021-45105) in the log4j-core library used by many FOLIO backend modules and FOLIO's Okapi.

FOLIO is not affected by the remote code execution (RCE) attack using JDBC Appender (CVE-2021-44832).

Advisories of the Log4j project: https://logging.apache.org/log4j/2.x/security.html

...

Okapi protects all modules where it proxies requests to (the mod-* modules) from the denial-of-service attack of CVE-2021-45105 (infinite recursion in MDC lookup evaluation) by filtering malicious values in the fields used for MDC (OKAPI-1058), therefore those modules don't need log4j >= 2.17.0 and can safely continue to use log4j 2.16.0.

Okapi doesn't protect the edge-* modules, edge-* modules that might be affected need to upgrade to log4j >= 2.17.0.

Hot-fix preview

Sysops that don't want to wait for the official hot-fix release can install the module versions of the platform-complete branch:

https://github.com/julianladisch/platform-complete/actions/workflows/log4shell-scan.yml scans these branches for vulnerable log4j versions. Click on the release and on "Run cat result.txt" to see the results.  The scan runs daily. The result history shows that

  • all platform-complete modules of Juniper (R2-2021) have been fixed since December 22, 2021
  • all platform-complete modules of Kiwi (R3-2021) have been fixed since December 22, 2021

There are no plans to completely fix Iris (R1-2021) because Iris hasn't officially been declare to receive long term support and FOLIO supports only the latest two flower releases.

Configuration variables for back-end modules

Many back-end modules are affected by the Log4Shell issue, until new jar files and new docker containers with a fixed version are ready the existing back-end modules should be reconfigured with an environment variable that disables the flaw for most cases in log4j:

  • LOG4J_FORMAT_MSG_NO_LOOKUPS=true
  • Append -Dlog4j2.formatMsgNoLookups=true to the JAVA_OPTIONS variable

Pick one of the two options.

Example for the second option: If the existing configuration has JAVA_OPTIONS="-XX:MaxRAMPercentage=66.0" then the new configuration should be
JAVA_OPTIONS="-XX:MaxRAMPercentage=66.0 -Dlog4j2.formatMsgNoLookups=true"

SQL query to do this, posted by Lucy Menon on #sys-ops Slack channel, assuming that all modules in use already have a JAVA_OPTIONS env entry:

...

Not completely. It only limits exposure while leaving some attack vectors open. Using the configuration variables is a temporary measure for the time until patched FOLIO modules are available. Please upgrade to patched modules as soon as possible.

From:  https://logging.apache.org/log4j/2.x/security.html 

History

Older (discredited) mitigation measures

...

Are Kafka and Zookeeper affected?

No, because they use log4j 1.x and FOLIO doesn't set the JMS configuration TopicBindingName or TopicConnectionFactoryBindingName. For details see https://kafka.apache.org/cve-list and https://issues.apache.org/jira/browse/ZOOKEEPER-4423

...

Modules that use a vulnerable log4j version must be upgraded to >= 2.17.0, however, mod-* modules that already have upgraded to 2.16.0 don't need to upgrade to 2.17.0. Okapi protects all modules where it proxies requests to from the denial-of-service attack of CVE-2021-45105 (infinite recursion in MDC lookup evaluation) by filtering malicious values in the fields used for MDC (OKAPI-1058), therefore those modules don't need log4j 2.17.0 and can safely continue to use log4j 2.16.0.

Modules don't need to be upgraded to log4j 2.17.1 because they are not affected by the remote code execution (RCE) attack using JDBC Appender (CVE-2021-44832) that can only be triggered through malicious configuration files; since these are hard-coded into each module, sysop permissions would be required to change them and, if an attacker has sysop permissions, they can do far more than exploit log4j. Sysop permissions are needed to inject a configuration file and/or set it via the -Dlog4j.configurationFile system property; a search through the source code shows that no FOLIO module (re)configures log4j using code (programmatic APIsetConfigLocation) and therefore cannot be (re)configured at runtime without sysop permissions.

Each edge-* module must upgrade to log4j >= 2.17.0 unless you know that it doesn't use MDC lookups.

Please do the work in this order: Juniper, Kiwi, Iris. Work on edge module before back-end modules.

After all mod-* and edge-* modules have been upgraded to log4j >= 2.16.0 upgrade edge-* modules with log4j 2.16.0 to log4j 2.17.0 unless they don't use MDC lookups.

https://github.com/julianladisch/platform-complete/actions/workflows/log4shell-scan.yml scans the platfrom-complete branches R1-2021, R2-2021 and R3-2021 for vulnerable log4j versions. Click on the release and on "Run cat result.txt" to see the results. The scan runs daily.

RMB based modules

Modules based on Raml Module Builder (RMB) should upgrade to a fixed version:

...

For modules based off of Spring Boot are vulnerable as spring-boot-starter-log4j2 includes the vulnerable version of log4j.  Spring Boot has opted not to fix this version until the next release (due for Dec 23, 2021).In the meantimeupdated their version to 2.17.0 (as of 12/23/2021), therefore, pulling in the newest spring-boot-starter-log4j2 should be sufficient.

In you need to specifically override the version provided by Spring Boot, you can override the variable controlling Spring Boot's log4j version through the log4j2.version property like so (per their instructions for Maven, as FOLIO base uses their parent POM):

<properties>
  ...
  <log4j2.version>2.17.0<1</log4j2.version>
</properties>

...

Non-RMB modules might use other ways to update log4j.

If a module needs to directly sets set the version of log4j it should use the a <dependencyManagement> entry with log4j-bom to keep all log4j components (log4j-api, log4j-core, ...) in sync:

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-bom</artifactId>
      <version>2.17.0<1</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>

...

If not using the log4j-bom be sure to specify 2.17.0 the version in all of your log4j dependencies, check with mvn dependency:tree.

...

No, updating to log4j >= 2.16.0 is sufficient. LOG4J_FORMAT_MSG_NO_LOOKUPS=true or -Dlog4j2.formatMsgNoLookups=true should only be used by sysops for unpatched modules as a temporary fix. Don't add them to the ModuleDescriptors or LaunchDescriptors a module ships with. For details see section "Is using configuration variables secure?" above.

...