BASE-1388: Apache Log4j2 not protected against attacker controlled LDAP and other JNDI related endpoints

Overview

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true".

Summary	CVE-2021-44228 - Apache Log4j2 <=2.14.1 not protected against attacker controlled LDAP and other JNDI related endpoints Update Bulletin by 17.12.2021 15:00
Advisory Release Date	9th December 2021
Products	all eptos modules eptos Search Engine
Affected Releases	eptos modules - all releases 5.3 - 6.1 eptos Search Engine 2.0 - 2.1
Fixed Releases	eptos 6.1.1 Search Engine 2.1.1
CVE ID	CVE-2021-44228, CVE-2021-45046
Issue ID	BASE-1388
Further information	https://github.com/advisories/GHSA-jfh8-c2jp-5v3q https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ https://www.wired.com/story/log4j-flaw-hacking-internet/ https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/

Summary of Vulnerability

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default.

eptos core is using impacted Log4j2 2.14 starting from Release 6.1.

eptos APIs are using spring-boot that has a dependency to log4j-api 2.13 but by default the log4j2 part is not enabled (reference) - starting from Release 6.0.

Since eptos is not using JNDI lookups, Paradine recommends disabling JNDI lookup using the startup parameters -Dlog4j2.formatMsgNoLookups=true.

The deactivation of the JNDI lookup is a precautionary measure to avoid that 3rd party libraries entail Log4j2.

Software Fixes

eptos 6.0.1 updated to the unaffected release 2.15.0 of Log4j2
eptos 6.1.1 updated to the unaffected release 2.15.0 of Log4j2
eptos Email Collector 6.1.1 (latest, 2021) updated to the unaffected release 2.15.0 of Log4j2
eptos Search Engine 2.1.1, will be updated to latest 2.15.0 of Log4j2

What you need to do

Paradine recommends that you upgrade to the latest Long Term Support release eptos 6.1.1
Paradine recommends that you upgrade to the latest Long Term Support release Search Engine 2.1.1
Please consult your Solution Manager

Mitigation

For mitigation you can:

change startup parameters of programs impacted releases by adding -Dlog4j2.formatMsgNoLookups=true where the JVM arguments are defined (e.g. in eptos-config map or under deployment for the pod itself)
restart the system
for microservices the sustaining way of fixing is installing new releases of API containers

eptos 5.x

Release

Program

Change

5.3, 5.4, 5.5, 5.6, 5.7

eptos core

add

^{-Dlog4j2.formatMsgNoLookups=true}

to jboss startup arguments

add to the JBOSS start script.

Release

Program

Change

5.7

eptos APIs

add

^{-Dlog4j2.formatMsgNoLookups=true}

in kubernetes console or in openshift console for all microservice API's deployed

attribute-config-api
class-api
cr-api
domain-api
domainvalue-api
property-api
transfmapps-api
tree-api
user-data-api
ui-config-api
favorite-api
keyquestion-api
contentstructure-api
editorialelement-api
publicationdefinition-api
reusable-name-api
term-api
template-api
publicationdefinition-export-api
entity-compare-api
keycloak

Kubernetes

example for change in eptos-config map

Openshift

Go to Applications→Deployments
Open a deployment plan
Edit as YAML
Update the JAVA_OPTS argument and Save it
Restart Pod

eptos 6.0

Release

Program

Change

6.0

eptos core

add

^{-Dlog4j2.formatMsgNoLookups=true}

in kubernetes console or in openshift console

6.0

eptos APIs

Add

^{set explicit version of org.apache.logging.log4j = 2.16.0}

attribute-config-api (since version 2.0.483)
class-api (since version 2.0.664)
class-infocomp-export-api (since version 2.0.415)
contentstructure-api (since version 2.0.416)
cr-api (since version 2.0.517)
domain-api (since version 2.0.546)
domainvalue-api (since version 2.0.564)
property-api (since version 2.0.623)
transfmapps-api (since version 2.0.503)
tree-api (since version 2.0.519)
user-data-api (since version 2.0.478)
ui-config-api (since version 2.0.485)
favorite-api (since version 2.0.483)
keyquestion-api (since version 2.0.457)
editorialelement-api (since version 2.0.421)
publicationdefinition-api (since version 2.0.408)
reusable-name-api (since version 2.0.396)
term-api (since version 2.0.409)
template-api (since version 2.0.374)
publicationdefinition-export-api (since version 1.0.10)
entity-compare-api (since version 2.0.352)

eptos 6.1

Release

Program

Change

6.1

eptos core

add

^{-Dlog4j2.formatMsgNoLookups=true}

in kubernetes console or in openshift console

6.1

eptos APIs

Add

^{set explicit version of org.apache.logging.log4j = 2.16.0}

attribute-config-api (since version 2.1.362)
class-api (since version 2.1.371)
cr-api (since version 2.1.343)
domain-api (since version 2.1.349)
domainvalue-api (since version 2.1.350)
property-api (since version 2.1.359)
transfmapps-api (since version 2.1.346)
tree-api (since version 2.1.344)
user-data-api (since version 2.1.330)
ui-config-api (since version 2.1.378)
favorite-api (since version 2.1.333)
keyquestion-api (since version 2.1.336)
contentstructure-api (since version 2.1.350)
editorialelement-api (since version 2.1.337)
publicationdefinition-api (since version 2.1.336)
reusable-name-api (since version 2.1.345)
term-api (since version 2.1.355)
template-api (since version 2.1.339)
entity-compare-api (since version 2.1.332)
keycloak

Kubernetes

example for change in eptos-config map

Openshift

Go to Applications→Deployments
Open a deployment plan
Edit as YAML
Update the JAVA_OPTS argument and Save it
Restart Pod

eptos Email Collector

Release

Program

Change

5.3, 5.4, 5.5, 5.6, 5.7

6.0

eptos email collector

Not impacted individually since installed as part of eptos core

6.1

eptos email collector

add

^{-Dlog4j2.formatMsgNoLookups=true}

in kubernetes console or in openshift console

for microservice API

emailcollector
keycloak

Kubernetes

example for change in eptos-config map

Openshift

Go to Applications→Deployments
Open a deployment plan
Edit as YAML
Update the JAVA_OPTS argument and Save it
Restart Pod

eptos Search Engine

Release

Program

Change

2.0, 2.1

eptos search engine

add

^{-Dlog4j2.formatMsgNoLookups=true}

in kubernetes console or in openshift console for microservice API

searchengine-api
keycloak

There might be additionally need for updating the third party SOLR container !

Kubernetes

example for change in eptos-config map

Openshift

Go to Applications→Deployments
Open a deployment plan
Edit as YAML
Update the JAVA_OPTS argument and Save it
Restart Pod

Support

If you have questions or concerns regarding this advisory, check support (at) paradine,at and add CVE-2021-44228 or CVE-2021-45046 to your issue description.