Apache log4j vulnerability, CVE-2021-44228

Hello Martijn,

I found the following posting, that version 1.x may be affected,too, but in a different way (only LDAP based?):

https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

Since the Pro version supports LDAP certificat lookups, could this be a problem?

Best wishes,

Stefan

···

-----Ursprüngliche Nachricht-----

Von: Martijn Brinkers via Users <users(a)lists.ciphermail.com>
Gesendet: Montag 13. Dezember 2021 8:34
An: users(a)lists.ciphermail.com
CC: ricky.boone(a)gmail.com; Martijn Brinkers <martijn(a)ciphermail.com>
Betreff: Re: Apache log4j vulnerability, CVE-2021-44228

Hi Ricky,

CipherMail Gateway and Webmail Messenger are *not* vulnerable to
CVE-2021-44228 because an older version of log4j (1.2) is used which
does not contain the (vulnerable) lookup functionality.

When we became aware, a few hours after the details were posted, that
log4j was exploitable, we analyzed the exploit and concluded that
CipherMail was not vulnerable.

CipherMail uses version 1.2.15 of the log4j library. This version is
still widely deployed. It is true that version 1.x of log4j is no
longer supported, however we always analyze any impact of a published
exploit to see whether a CipherMail product is impacted or not. We are
not aware of any vulnerabilities in the default configuration of 1.x as
used by CipherMail.

We will further analyze whether we upgrade to a newer version of log4j
or use a different logging library instead.

Kind regards,

Martijn Brinkers

On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote:
> Apache log4j has a critical zero day vulnerability (CVSS score of
> 10), CVE-2021-44228.
>
> https://logging.apache.org/log4j/2.x/security.html
> https://nvd.nist.gov/vuln/detail/CVE-2021-44228
> https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
>
> The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon
> a cursory check, Ciphermail appears to use log4j 1.2.15, which while
> end of life and potentially vulnerable to other threats, shouldn't be
> vulnerable to this specific flaw. As a result, the mitigating
> controls may not be applicable or necessary.
>
> Thoughts, or discussion?
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

Version 1.x can be configured to use JMSAppender. This is not
configured by CipherMail. Using a JMSAppender is a very specialized
config option which is not widely used and certainly not by default.

But even *if* you configure a JMSAppender, it can only be misused *if*
an attacker can also change the log4j config file. If an attacker is
able to change a config file on your file system, it means the attacker
already used a different method to get in. An external user is not able
to change a local config file.

The problem with the JMSAppender in verson 1.x cannot be compared to to
CVE-2021-44228.

See some details from the original author or log4j 1.X:

http://slf4j.org/log4shell.html

Unless you allow an external user to change your local config files,
using log4j 1.x is safe.

CipherMail gateway is safe because an external user cannot change the
local config file.

You should of course check other software, like for example Tomcat, to
investigate whether it does not use a vulnerable log4j jar.

PS. Since log4j 1.x is old, we are working on upgrading to the latest
version 2. Not because 1.x is not safe but because version 1 is EOL.

Kind regards,

Martijn

···

On Tue, 2021-12-14 at 11:52 +0000, Stefan Michael Guenther wrote:

Hello Martijn,

I found the following posting, that version 1.x may be affected,too,
but in a different way (only LDAP based?):

https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

Since the Pro version supports LDAP certificat lookups, could this be
a problem?

Best wishes,

Stefan

-----Ursprüngliche Nachricht-----
> Von: Martijn Brinkers via Users <users(a)lists.ciphermail.com>
> Gesendet: Montag 13. Dezember 2021 8:34
> An: users(a)lists.ciphermail.com
> CC: ricky.boone(a)gmail.com; Martijn Brinkers <martijn(a)ciphermail.com
> >
> Betreff: Re: Apache log4j vulnerability, CVE-
> 2021-44228
>
> Hi Ricky,
>
> CipherMail Gateway and Webmail Messenger are *not* vulnerable to
> CVE-2021-44228 because an older version of log4j (1.2) is used
> which
> does not contain the (vulnerable) lookup functionality.
>
> When we became aware, a few hours after the details were posted,
> that
> log4j was exploitable, we analyzed the exploit and concluded that
> CipherMail was not vulnerable.
>
> CipherMail uses version 1.2.15 of the log4j library. This version
> is
> still widely deployed. It is true that version 1.x of log4j is no
> longer supported, however we always analyze any impact of a
> published
> exploit to see whether a CipherMail product is impacted or not. We
> are
> not aware of any vulnerabilities in the default configuration of
> 1.x as
> used by CipherMail.
>
> We will further analyze whether we upgrade to a newer version of
> log4j
> or use a different logging library instead.
>
> Kind regards,
>
> Martijn Brinkers
>
>
> On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote:
> > Apache log4j has a critical zero day vulnerability (CVSS score of
> > 10), CVE-2021-44228.
> >
> > https://logging.apache.org/log4j/2.x/security.html
> > https://nvd.nist.gov/vuln/detail/CVE-2021-44228
> > https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
> >
> > The vulnerability appears to impact log4j 2.x thru 2.15.0-
> > rc1. Upon
> > a cursory check, Ciphermail appears to use log4j 1.2.15, which
> > while
> > end of life and potentially vulnerable to other threats,
> > shouldn't be
> > vulnerable to this specific flaw. As a result, the mitigating
> > controls may not be applicable or necessary.
> >
> > Thoughts, or discussion?
> --
> CipherMail email encryption
> Email encryption with support for S/MIME,
> OpenPGP, PDF Messenger and Webmail Messenger
>
>

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

Version 1.x can be configured to use JMSAppender. This is not
configured by CipherMail. Using a JMSAppender is a very specialized
config option which is not widely used and certainly not by
default.

But even *if* you configure a JMSAppender, it can only be misused
*if* an attacker can also change the log4j config file. If an
attacker is able to change a config file on your file system, it
means the attacker already used a different method to get in. An
external user is not able to change a local config file.

The vulnerability regarding Log4j 1.x is now tracked as CVE-2021-4104.
As Martijn already said, CipherMail products are not impacted because
of the specific configuration used. The blog post on our website has
been updated to reflect this:
https://www.ciphermail.com/blog/ciphermail-gateway-and-webmail-messenger-are-not-vulnerable-to-cve-2021-44228.html

The problem with the JMSAppender in verson 1.x cannot be compared
to CVE-2021-44228.

...regarding security impact, that is. They are somewhat similar in how
a potential attack would be executed (with the JNDI requests and all).

See some details from the original author or log4j 1.X:
http://slf4j.org/log4shell.html

To point to the authoritative CVE source:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

These entries have all the references to information you never wanted
to know about the Log4j vulnerabilities.

Unless you allow an external user to change your local config
files, using log4j 1.x is safe.

I'd like to add some nuance to this: we can't say that Log4j 1.x is
"safe", but we are certain that Log4j 1.2.15 as used by CipherMail
products (which do not allow external users to change the local config
files) does not pose a significant risk for our users and customers.

PS. Since log4j 1.x is old, we are working on upgrading to the latest
version 2. Not because 1.x is not safe but because version 1 is EOL.

Updated packages can be expected soon. See also the aforementioned blog
post.

To reiterate: certain Log4j versions are vulnerable, but not all
versions and vulnerabilities are created equally. The version used by
CipherMail is, in its specific configuration, not vulnerable.

Kind regards,

Imre Jonk
CipherMail B.V.

···

On Tue, 2021-12-14 at 13:11 +0100, Martijn Brinkers via Users wrote: