FS#72975 - 0-Day RCE in log4j, present in at least one package

Attached to Project: Community Packages
Opened by Chris Snell (chrissnell) - Saturday, 11 December 2021, 03:02 GMT
Last edited by Toolybird (Toolybird) - Saturday, 03 June 2023, 22:58 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
NicoHood (NicoHood)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

0-day with RCE being actively exploited. CVE-2021-44228 affects outdated log4j libraries, including the elasticsearch package. Presumable other packages are affected.

https://www.lunasec.io/docs/blog/log4j-zero-day/
This task depends upon

Closed by  Toolybird (Toolybird)
Saturday, 03 June 2023, 22:58 GMT
Reason for closing:  Fixed
Additional comments about closing:  See comments
Comment by loqs (loqs) - Saturday, 11 December 2021, 20:14 GMT
Packages that have updated to Log4j 2.15, which does not imply vulnerability:

arduino https://github.com/arduino/Arduino/pull/11717
elasticsearch https://github.com/elastic/elasticsearch/commit/9a3422e1a6cf519e3fedce396784be2ef48dc7f9
ghidra https://github.com/NationalSecurityAgency/ghidra/commit/598fd1d668bcb24a934351ca6251cea4473ff01e
logstash https://github.com/elastic/logstash/commit/c12d2f5419b8256feba14269187df24562acadd5
openfire https://github.com/igniterealtime/Openfire/commit/3d3549cf747a55d17192fdf6e5e786ef83d85a4a
solr https://gitbox.apache.org/repos/asf?p=solr.git;a=commit;h=fa58743acfefc49414b78e25fd3b80e42fc899bc
zaproxy https://github.com/zaproxy/zaproxy/commit/34eb21e21c06939375d875296ca6ba3af81c0c12
Comment by Justin Kromlinger (hashworks) - Sunday, 12 December 2021, 13:33 GMT
Regarding elasticsearch: I've implemented the linked patch in 7.10.2-2. It replaces `/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar` with `elasticsearch-log4j-7.10.2.jar`, which doesn't include the `JndiLookup.class`:
```
old/org/apache/logging/log4j/core/util/JndiCloser.class
old/org/apache/logging/log4j/core/selector/JndiContextSelector.class
old/org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
old/org/apache/logging/log4j/core/net/JndiManager$1.class
old/org/apache/logging/log4j/core/net/JndiManager.class
old/org/apache/logging/log4j/core/lookup/JndiLookup.class <-----
new/org/apache/logging/log4j/core/util/JndiCloser.class
new/org/apache/logging/log4j/core/selector/JndiContextSelector.class
new/org/apache/logging/log4j/core/net/JndiManager.class
new/org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
new/org/apache/logging/log4j/core/net/JndiManager$1.class
```
Comment by freswa (frederik) - Sunday, 12 December 2021, 14:09 GMT
ghidra is fixed with 10.1 in [community]
Comment by David Runge (dvzrv) - Sunday, 12 December 2021, 14:51 GMT
solr is fixed with 8.11.0-2 in [community]
Comment by Massimiliano Torromeo (mtorromeo) - Sunday, 12 December 2021, 16:47 GMT
logstash patched in 7.10.2-1
Comment by Massimiliano Torromeo (mtorromeo) - Sunday, 12 December 2021, 16:52 GMT
openfire updated to 4.6.5 which already uses log4j 2.15.0
Comment by Freedom Dev (FreedomDev) - Monday, 16 May 2022, 19:37 GMT
scanner: https://github.com/logpresso/CVE-2021-44228-Scanner
args:[--scan-log4j1 --scan-logback --scan-zip /]


netbeans 13-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/lib/netbeans/ide/modules/ext/log4j-1.2.15.jar, log4j 1.2.15
(https://blogs.apache.org/netbeans/entry/log4j-and-apache-netbeans)

jmol 14.32.55-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/share/jmol/JmolData.jar, log4j 1.2.14
jmol 14.32.55-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/share/jmol/Jmol.jar, log4j 1.2.14
(https://bugs.archlinux.org/task/74845)->(https://sourceforge.net/p/jmol/code/22275/)-OK

zaproxy 2.11.1-1 [*] Found CVE-2021-45046 (log4j 2.x) vulnerability in /usr/share/zaproxy/lib/log4j-core-2.15.0.jar, log4j 2.15.0
>fixed<
Comment by Leonidas Spyropoulos (inglor) - Wednesday, 18 May 2022, 23:52 GMT
zaproxy patched in 2.11.1-2 [community]
Comment by loqs (loqs) - Tuesday, 24 May 2022, 19:30 GMT
netbeans upstream does not believe it is/was vulnerable https://blogs.apache.org/netbeans/entry/log4j-and-apache-netbeans
Comment by Toolybird (Toolybird) - Tuesday, 16 May 2023, 00:07 GMT
So according to [1] everything is now fixed. The only doubt is jmol mentioned above...but it is updated regularly so surely not vulnerable? Someone please confirm. Unless anyone raises any objections, I propose closing this ticket within 30 days.

[1] https://security.archlinux.org/CVE-2021-44228
Comment by loqs (loqs) - Tuesday, 16 May 2023, 10:09 GMT
jmol had a separate bug report  FS#74845 , upstream concluded it was not vulnerable.

Loading...