Apache log4j vulnerability, CVE-2021-44228

Stefan_Gunther · December 14, 2021, 11:52am

Hello Martijn,

I found the following posting, that version 1.x may be affected,too, but in a different way (only LDAP based?):

Comment by TopStreamsNet to Restrict LDAP access via JNDI

apache:release-2.x ← apache:ldap-controls

@ceki @remkop - it is not exactly true that it doesn't suffer from lookup issue …though. If you look at how jndi works in 1.x you will find that there are two places where lookups are done - that is JMSAppender.java:207 and JMSAppender.java:222 - if you set TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a" JNDI will do exactly the same thing it does for 2.x - so 1.x is vulnerable, just attack vector is "safer" as it depends on configuration rather than user input ``` log4j: Trying to find [log4j.xml] using context classloader jdk.internal.loader.ClassLoaders$AppClassLoader@5cb0d902. log4j: Trying to find [log4j.xml] using jdk.internal.loader.ClassLoaders$AppClassLoader@5cb0d902 class loader. log4j: Trying to find [log4j.xml] using ClassLoader.getSystemResource(). log4j: Trying to find [log4j.properties] using context classloader jdk.internal.loader.ClassLoaders$AppClassLoader@5cb0d902. log4j: Using URL [file:/home/user/Downloads/l4j/log4j.properties] for automatic log4j configuration. log4j: Reading configuration from URL file:/home/user/Downloads/l4j/log4j.properties log4j: Parsing for [root] with value=[DEBUG, stdout, jms]. log4j: Level token is [DEBUG]. log4j: Category root set to DEBUG log4j: Parsing appender named "stdout". log4j: Parsing layout options for "stdout". log4j: Setting property [conversionPattern] to [%d %-5p %c - %m%n]. log4j: End of parsing for "stdout". log4j: Parsed "stdout" options. log4j: Parsing appender named "jms". log4j: Setting property [initialContextFactoryName] to [org.apache.activemq.jndi.ActiveMQInitialContextFactory]. **log4j: Setting property [topicBindingName] to [ldap://server:1500/a]. log4j: Setting property [topicConnectionFactoryBindingName] to [ldap://server:1500/a].** log4j: Setting property [providerURL] to [tcp://localhost:61616]. log4j: Getting initial context. **log4j: Looking up [ldap://server:1500/a]** log4j:ERROR Error while activating options for appender named [jms]. javax.naming.NamingException: LDAP connection has been closed at java.naming/com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133) at java.naming/com.sun.jndi.ldap.Connection.readReply(Connection.java:443) at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365) at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2895) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(ldapURLContextFactory.java:60) at java.naming/com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(ldapURLContext.java:61) at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:204) at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94) at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409) **at org.apache.log4j.net.JMSAppender.lookup(JMSAppender.java:245)** **at org.apache.log4j.net.JMSAppender.activateOptions(JMSAppender.java:207)** at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:172) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:104) at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:842) at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:768) at org.apache.log4j.PropertyConfigurator.configureRootCategory(PropertyConfigurator.java:648) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:514) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:580) at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:526) at org.apache.log4j.LogManager.<clinit>(LogManager.java:127) at org.apache.log4j.Logger.getLogger(Logger.java:104) at testexploit1.<clinit>(testexploit1.java:10) log4j: Parsed "jms" options. log4j: Parsing for [org.apache.activemq] with value=[INFO, stdout]. log4j: Level token is [INFO]. log4j: Category org.apache.activemq set to INFO log4j: Parsing appender named "stdout". log4j: Appender "stdout" was already parsed. log4j: Handling log4j.additivity.org.apache.activemq=[null] log4j: Finished configuring. ```

Since the Pro version supports LDAP certificat lookups, could this be a problem?

Best wishes,

Stefan

···

-----Ursprüngliche Nachricht-----

Von: Martijn Brinkers via Users <users(a)lists.ciphermail.com>
Gesendet: Montag 13. Dezember 2021 8:34
An: users(a)lists.ciphermail.com
CC: ricky.boone(a)gmail.com; Martijn Brinkers <martijn(a)ciphermail.com>
Betreff: Re: Apache log4j vulnerability, CVE-2021-44228

Hi Ricky,

CipherMail Gateway and Webmail Messenger are *not* vulnerable to
CVE-2021-44228 because an older version of log4j (1.2) is used which
does not contain the (vulnerable) lookup functionality.

When we became aware, a few hours after the details were posted, that
log4j was exploitable, we analyzed the exploit and concluded that
CipherMail was not vulnerable.

CipherMail uses version 1.2.15 of the log4j library. This version is
still widely deployed. It is true that version 1.x of log4j is no
longer supported, however we always analyze any impact of a published
exploit to see whether a CipherMail product is impacted or not. We are
not aware of any vulnerabilities in the default configuration of 1.x as
used by CipherMail.

We will further analyze whether we upgrade to a newer version of log4j
or use a different logging library instead.

Kind regards,

Martijn Brinkers

On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote:
> Apache log4j has a critical zero day vulnerability (CVSS score of
> 10), CVE-2021-44228.
>
> Log4j –
> NVD - CVE-2021-44228
> https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
>
> The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon
> a cursory check, Ciphermail appears to use log4j 1.2.15, which while
> end of life and potentially vulnerable to other threats, shouldn't be
> vulnerable to this specific flaw. As a result, the mitigating
> controls may not be applicable or necessary.
>
> Thoughts, or discussion?
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

martijn · December 14, 2021, 12:11pm

Version 1.x can be configured to use JMSAppender. This is not
configured by CipherMail. Using a JMSAppender is a very specialized
config option which is not widely used and certainly not by default.

But even *if* you configure a JMSAppender, it can only be misused *if*
an attacker can also change the log4j config file. If an attacker is
able to change a config file on your file system, it means the attacker
already used a different method to get in. An external user is not able
to change a local config file.

The problem with the JMSAppender in verson 1.x cannot be compared to to
CVE-2021-44228.

See some details from the original author or log4j 1.X:

http://slf4j.org/log4shell.html

Unless you allow an external user to change your local config files,
using log4j 1.x is safe.

CipherMail gateway is safe because an external user cannot change the
local config file.

You should of course check other software, like for example Tomcat, to
investigate whether it does not use a vulnerable log4j jar.

PS. Since log4j 1.x is old, we are working on upgrading to the latest
version 2. Not because 1.x is not safe but because version 1 is EOL.

Kind regards,

Martijn

···

On Tue, 2021-12-14 at 11:52 +0000, Stefan Michael Guenther wrote:

Hello Martijn,

I found the following posting, that version 1.x may be affected,too,
but in a different way (only LDAP based?):

https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

Since the Pro version supports LDAP certificat lookups, could this be
a problem?

Best wishes,

Stefan

-----Ursprüngliche Nachricht-----
> Von: Martijn Brinkers via Users <users(a)lists.ciphermail.com>
> Gesendet: Montag 13. Dezember 2021 8:34
> An: users(a)lists.ciphermail.com
> CC: ricky.boone(a)gmail.com; Martijn Brinkers <martijn(a)ciphermail.com
> >
> Betreff: Re: Apache log4j vulnerability, CVE-
> 2021-44228
>
> Hi Ricky,
>
> CipherMail Gateway and Webmail Messenger are *not* vulnerable to
> CVE-2021-44228 because an older version of log4j (1.2) is used
> which
> does not contain the (vulnerable) lookup functionality.
>
> When we became aware, a few hours after the details were posted,
> that
> log4j was exploitable, we analyzed the exploit and concluded that
> CipherMail was not vulnerable.
>
> CipherMail uses version 1.2.15 of the log4j library. This version
> is
> still widely deployed. It is true that version 1.x of log4j is no
> longer supported, however we always analyze any impact of a
> published
> exploit to see whether a CipherMail product is impacted or not. We
> are
> not aware of any vulnerabilities in the default configuration of
> 1.x as
> used by CipherMail.
>
> We will further analyze whether we upgrade to a newer version of
> log4j
> or use a different logging library instead.
>
> Kind regards,
>
> Martijn Brinkers
>
>
> On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote:
> > Apache log4j has a critical zero day vulnerability (CVSS score of
> > 10), CVE-2021-44228.
> >
> > Log4j –
> > NVD - CVE-2021-44228
> > https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
> >
> > The vulnerability appears to impact log4j 2.x thru 2.15.0-
> > rc1. Upon
> > a cursory check, Ciphermail appears to use log4j 1.2.15, which
> > while
> > end of life and potentially vulnerable to other threats,
> > shouldn't be
> > vulnerable to this specific flaw. As a result, the mitigating
> > controls may not be applicable or necessary.
> >
> > Thoughts, or discussion?
> --
> CipherMail email encryption
> Email encryption with support for S/MIME,
> OpenPGP, PDF Messenger and Webmail Messenger
>
>

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

Imre_Jonk · December 15, 2021, 1:49pm

Version 1.x can be configured to use JMSAppender. This is not
configured by CipherMail. Using a JMSAppender is a very specialized
config option which is not widely used and certainly not by
default.

But even *if* you configure a JMSAppender, it can only be misused
*if* an attacker can also change the log4j config file. If an
attacker is able to change a config file on your file system, it
means the attacker already used a different method to get in. An
external user is not able to change a local config file.

The vulnerability regarding Log4j 1.x is now tracked as CVE-2021-4104.
As Martijn already said, CipherMail products are not impacted because
of the specific configuration used. The blog post on our website has
been updated to reflect this:

The problem with the JMSAppender in verson 1.x cannot be compared
to CVE-2021-44228.

...regarding security impact, that is. They are somewhat similar in how
a potential attack would be executed (with the JNDI requests and all).

See some details from the original author or log4j 1.X:
SLF4J

To point to the authoritative CVE source:

These entries have all the references to information you never wanted
to know about the Log4j vulnerabilities.

Unless you allow an external user to change your local config
files, using log4j 1.x is safe.

I'd like to add some nuance to this: we can't say that Log4j 1.x is
"safe", but we are certain that Log4j 1.2.15 as used by CipherMail
products (which do not allow external users to change the local config
files) does not pose a significant risk for our users and customers.

PS. Since log4j 1.x is old, we are working on upgrading to the latest
version 2. Not because 1.x is not safe but because version 1 is EOL.

Updated packages can be expected soon. See also the aforementioned blog
post.

To reiterate: certain Log4j versions are vulnerable, but not all
versions and vulnerabilities are created equally. The version used by
CipherMail is, in its specific configuration, not vulnerable.

Kind regards,

Imre Jonk
CipherMail B.V.

···

On Tue, 2021-12-14 at 13:11 +0100, Martijn Brinkers via Users wrote:

Topic		Replies	Views
Apache log4j vulnerability, CVE-2021-44228 Gateway	1	131	December 13, 2021
Warning about JCE Gateway	4	64	December 12, 2017
Unable to login to Ciphermail Web GUI Gateway	0	82	November 21, 2019
New Apache packages on centos not compatilbe to ciphermail ? Gateway	1	72	July 27, 2014
Import of p7b files fails Gateway	2	104	August 19, 2021

Apache log4j vulnerability, CVE-2021-44228

Related Topics