SOI log4j vulnerabilities: several libraries reported
Article ID: 236019
Updated On:
Products
Issue/Introduction
The scanner identified the following libraries, scan completed Feb 2022:
path : d:\program files (x86)\ca\soi\eventmanagement\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\program files (x86)\ca\soi\samstore\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\program files (x86)\ca\soi\servicediscovery\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\program files (x86)\ca\soi\tools\catalystencrypt\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0 path : d:\program files (x86)\ca\soi\tools\priming utility\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0 path : d:\program files (x86)\ca\soi\tools\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0 path : d:\program files (x86)\ca\soi\apache-activemq\lib\optional\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0 path : d:\program files (x86)\ca\soi\lib\ivy\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0 path : d:\program files (x86)\ca\soi\wso2registry\lib\log4j-1.2.13.jar installed version : 1.2.13 fixed version : 2.16.0 path : d:\program files (x86)\ca\soi\wso2registry\repository\components\configuration\org.eclipse.osgi\bundles\22\1\.cp\log4j-1.2.1
path : d:\ca\soi\eventmanagement\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\samstore\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\servicediscovery\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\tools\catalystencrypt\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\tools\priming utility\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\tools\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\apache-activemq\lib\optional\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\lib\generic\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\lib\ivy\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\tomcat\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\ucfbroker\lib\log4j-1.2.17.jar installed version : 1.2.17 fixed version : 2.16.0
path : d:\ca\soi\wso2registry\lib\log4j-1.2.13.jar installed version : 1.2.13 fixed version : 2.16.0
Environment
Release: "4.2.0.9.20210706"
Component : Service Operations Insight (SOI) Manager
Resolution
CVE-2022-23307, CVE-2020-9488 (CRITICAL) - Apache Log4j 1.2.x
Vulnerability Description: CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
This is described in some detail in https://blog.sonatype.com/new-log4j-1.x-cves-and-critical-chainsaw-vulnerability-what-to-do
It is vulnerable in default configuration, thus high severity score, but only if you run the Chainsaw. That is if you run:
java -cp log4j-1.2.17.jar org.apache.log4j.chainsaw.Main
Running the Chainsaw this way it starts a TCP server accepting connection on port 4445 from any source IP address. The log4j1 can be configured with socket appender that that points to host:4445 then the log messages appear in the Chainsaw UI. The vulnerable part is the Chainsaw, but SOI is not running this and it is unlikely that anybody would use included jar file to run Chainsaw. With our modified versions of log4j-1.2.12.jar, log4j-1.2.13.jar, log4j-1.2.16.jar and log4j-1.2.17.jar does not contain org.apache.log4j.net package so the socket appender is removed so it is even less likely because that log4j would not be capable to send logs to Chainsaw.
CVE-2022-23302 (HIGH) - Apache Log4j 1.x
Vulnerability Description: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE description contains "Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default."
Our modified versions of log4j-1.2.12.jar, log4j-1.2.13.jar, log4j-1.2.16.jar and log4j-1.2.17.jar does not contain org.apache.log4j.net package so it does not contain JMSSink class.
SOI does not configure log4j to use JMS.
CVE-2022-23305 (CRITICAL) - Apache Log4j 1.2.x
Vulnerability Description: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
The CVE description contains "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default."
Our modified versions of log4j-1.2.12.jar, log4j-1.2.13.jar, log4j-1.2.16.jar and log4j-1.2.17.jar does not contain org.apache.log4j.jdbc package so it does not contain JDBCAppender class.
SOI does not configure log4j to use JDBC.
CVE-2021-4104 (HIGH) - Apache Log4j 1.2.x
Vulnerability Description: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
The CVE description contains "Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default."
SOI does not configure log4j to use JMS.
CVE-2019-17571 (CRITICAL) - Apache Log4j 1.2.X
Vulnerability Description: Included in Log4j 1.2 is a Socket Server class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
The Socket Server class is vulnerable to deserialization of untrusted data. APM does not configure log4j to use socket server.
Our modified versions of log4j-1.2.12.jar, log4j-1.2.13.jar, log4j-1.2.16.jar and log4j-1.2.17.jar does not contain org.apache.log4j.net package so it does not contain org.apache.log4j.net so the socket server is removed.
Attachments
Feedback
