search cancel

APM Log4j vulnerability

book

Article ID: 252711

calendar_today

Updated On:

Products

CA App Synthetic Monitor

Issue/Introduction

As per below CVE it says fix was provided for Log4j vulnerability for APM

CVE-2021-44228 & CVE-2021-45046 - log4j vulnerability and APM (broadcom.com)

Broadcom ASM Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

 

The location of the vulnerability found is added in the image in attachments.

Environment

Release : 10.0

Resolution

Thanks for meeting today. I am closing this case since you are using an unsupported log4j release (see below) .

Please update log4j release (such as to 2.9), run a scan. And if any issues please provide report including CVE numbers. 

(Note your directory name is HF79. So appears you are not running APM 10.7 GA.) 

So , I explained that we typically get a vulnerability report with CVE numbers. Your company is using Nessus scanning software.

You sent me a link

https://www.tenable.com/plugins/nessus/156032

But that covers log4j 1.4 not 1.2 . (although same resolution) 

If you check the Log4J EOL 

https://endoflife.date/log4j, it states that 1.x has not been supported since 2015!!!

So, this case should never have been opened about an unsupported release.

Many 1.2.x issues are false positives 

CVE-2022-23305 (CRITICAL) - Apache Log4j 1.2.x
Vulnerability Description: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

The CVE description contains "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default."
APM does not configure log4j to use JDBC.

CVE-2021-4104 (HIGH) - Apache Log4j 1.2.x
Vulnerability Description: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

The CVE description contains "Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default."
APM does not configure log4j to use JMS.

CVE-2019-17571 (CRITICAL) - Apache Log4j 1.2 up to 1.2.17
Vulnerability Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

The SocketServer class is vulnerable to deserialization of untrusted data. APM does not configure log4j to use socket server.
Our modified version log4j-1.2.17-cloudera1-nonet.jar does not contain org.apache.log4j.net package so it does not contain org.apache.log4j.net so the socket server is removed.

CVE-2017-5645 (CRITICAL) - Apache Log4j 2.x before 2.8.2
Vulnerability Description: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

The CVE description contains "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, etc."
APM does not configure log4j to use socket server.
Our modified version log4j-1.2.17-cloudera1-nonet.jar does not contain org.apache.log4j.net package so it does not contain org.apache.log4j.net so the socket server is removed.

 

Note HF 84 has 

HOTFIX # 84 DE496642 - Security vulnerabilities in Apache log4j 1.2rc1, 1.2.14 and 1.2.17

Attachments