If you’ve been following the news lately, you’ve likely heard about a security vulnerability called “Log4Shell” (details below). This vulnerability impacts many Java-based applications that utilize a common, open-source logging library known as log4j.
At ArgonDigital, we work with a number of platforms that are built on Java. This includes Alfresco, Ephesoft and Crafter. We wanted to provide an overview of this issue, along with information relative to these platforms.
This article is intended to provide current information around the log4j vulnerability, along with mitigation strategies to resolve the problem on affected systems. Because this is an evolving situation, this page will be updated as new information is released.
If you have any questions at all about Log4Shell and its potential impact on your Java applications, contact us and we’ll be happy to chat.
Background on the Vulnerability
On December 10th, 2021, a vulnerability was published regarding the Apache Log4j library. This was listed as CVE-2021-44228, and was ranked as Critical severity. (https://nvd.nist.gov/vuln/detail/CVE-2021-44228).
This issue impacts software that utilizes the Apache Log4J library, and it can allow malicious users to perform remote execution of code via LDAP and other JNDI endpoints.
Because Apache Log4J is an extremely common logging utility for Java platforms, the scope of this vulnerability is quite large.
On December 14th, 2021, an additional vulnerability was published regarding this library. This was listed as CVE-2021-45046, and is currently ranked as a Low severity vulnerability. (https://nvd.nist.gov/vuln/detail/CVE-2021-45046)
Who is Impacted?
Software that utilizes log4j versions 2.0.x (including the beta versions) to 2.14.x can be impacted by both of these vulnerabilities. In addition, log4j 2.15.0 is vulnerable to CVE-2021-45046. Both issues are resolved in log4j starting with version 2.16.0.
It is possible to check for 2.x libraries by looking for the following JAR file in your application directories:
- log4j-core-2.x.x.jar (search with a wildcard to catch all versions, for example: ‘log4j-core-2*’)
The 1.x versions of log4j are not impacted by these two vulnerabilities.
What Actions can be Taken for these Vulnerabilities?
There are several different approaches that can be taken to mitigate, or reduce the risk of, these vulnerabilities. These are:
- If your application will support it, upgrade the underlying log4j library to 2.16.x. A fix is in place for this version of log4j that resolves both issues. This is the best approach if it is feasible to do this upgrade. Release Notes for this release can be found here:
- https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0
- NOTE: The previous release, 2.15.0, only resolves CVE-2021-44228!
- Remove the JndiLookup class from the log4j-core JAR file (all instances of the JAR file on your system). An example command to remove the class is provided below. This will modify the JAR file directly, so ensure that a backup of the file is created before performing this step. Restart the application with the updated JAR file in place. This should mitigate both vulnerabilities.
- zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- For installations that are using 2.10 to 2.14.x versions of log4j, the following Java system property can be set:
- log4j2.formatMsgNoLookups=true
- NOTE: The version MUST be 2.10 to 2.14 for this setting to operate, earlier versions of 2.x log4j2 do not have this feature!
- NOTE: This will protect against the vulnerability with CVE-2021-44228, but it will not mitigate the vulnerability found with CVE-2021-45046
- As part of improving security, it is also recommended that you update your JDK version, if it is older. The JNDI settings on newer builds of Java platforms have better default settings to reduce the risk of this type of exploit:
- JDK 8 (>= 1.8.0u192)
- JDK 11 (>= 11.0.2)
- NOTE: Current reports suggest that only upgrading the JDK by itself will not provide complete protection against all potential exploits. We recommend that you also perform one of the other mitigations in addition to upgrading the JDK.
- For our clients using Ephesoft, Ephesoft has provided the following steps to resolve the issue:
- For our clients using Crafter Enterprise 3.1.x, Crafter has recommended the following steps:
- Upgrade to Crafter Enterprise 3.1.7.3E. This version was released on December 15th, 2021, and is available through the Crafter Enterprise Support portal.
- If an upgrade is not feasible at this time, Crafter recommends that you remove the JndiLookup class from all instances of log4j-core*.jar in the installed environment. There are several places where the JAR file will be installed within Crafter, so searching for them and then updating them (backing them up first) is recommended. Example commands for finding the JAR files and for removing the JndiLookup class are provided below:
- find . -name ‘log4j-core*.jar’
- zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- For our clients with Alfresco Content Services, the latest information that we have received from Hyland indicates that they have not found these vulnerabilities with Alfresco Content Services. It utilizes the 1.2 version of the log4j libraries, and is not impacted.