Skip to content

OSG-SEC-2022-01-03 Additional UPDATE on Log4J

SUMMARY

Apache Log4j2 versions through 2.17.0 are vulnerable to a remote code execution attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. [1] This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

IMPACTED VERSIONS

Apache Log4j 2 version 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.14).

Note that only the log4j-core JAR file is impacted by this CVE, applications using only the log4j-api JAR file are not impacted.

WHAT YOU SHOULD DO:

Sites should upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7) or 2.17.1 (for Java 8 and later).

Sites unable to upgrade should confirm that the JDBC appender is not configured to use any protocol other than Java [2].

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 [2] https://logging.apache.org/log4j/2.x/security.html

PREVIOUS UPDATE

OSG-SEC-2021-12-16 UPDATE on Log4J Vulnerability

The patch released to address the original vulnerability (2.15.0) was incomplete [1]. The OSG Security team recommends that all sites should update log4j to version 2.16.0 (for Java 8) or 2.12.2 (for Java 7) and implement the recommended JNDI lookup mitigation from Apache [2] where possible.

[1] https://www.cve.org/CVERecord?id=CVE-2021-44228 [2] https://logging.apache.org/log4j/2.x/security.html

ORIGINAL ANNOUNCEMENT

OSG-SEC-2021-12-13 CRITICAL Severity Vulnerability in Java library Log4j

Dear OSG Security Contacts,

A new vulnerability has been found in the Java Log4j library which allows a remote attacker to execute arbitrary code on a server if the system logs an attacker-controlled string value [1]. Proof of Concept for this attack is available and it is being actively exploited. Due to the widespread nature of this vulnerability and the ease of exploitation the OSG Security Team considers this vulnerability to be of CRITICAL severity for affected systems.

IMPACTED VERSIONS:

Any java based web service running a Log4j version prior to 2.15.0.

WHAT ARE THE VULNERABILITIES:

Any java-based web service that uses log4j for logging is potentially vulnerable to a remote code execution flaw which allows a remote attacker to execute a remote payload with a simple command.

A list of known affected services is being compiled [2], at present this includes Apache Solr, Druid, Flink, as well as Logstash, ElasticSearch, and Kafka. The full attack surface has not yet been identified.

At this point we do not believe the OSG software stack, dCache, or VOMS admin to be vulnerable to this attack.

WHAT YOU SHOULD DO:

As soon as possible, identify any services running log4j affected versions and update to version 2.15.0 or higher [3][4][5].

If you are using a version older than 2.15.0 and cannot upgrade a temporary mitigation may be available [6].

REFERENCES

[1] https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] https://github.com/YfryTchsGD/Log4jAttackSurface [3] https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0 [4] https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/ [5] https://logging.apache.org/log4j/2.x/download.html [6] https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team