APM Log4j vulnerability
search cancel

APM Log4j vulnerability

book

Article ID: 252711

calendar_today

Updated On:

Products

CA App Synthetic Monitor

Issue/Introduction

As per below CVE it says fix was provided for Log4j vulnerability for APM

The location of the vulnerability found is added in the image in attachments.

Environment

Release : 10.0

Resolution

You are using an unsupported log4j release (see below) .

  1. After updating the log4j release (such as to 2.9), run a scan.
  2. If there are any issues, provide Broadcom support with the report including CVE numbers. 

If you check the Log4J EOL Apache Log4j, it states that 1.x has not been supported since 2015. 

Many 1.2.x issues are false positives 

  • CVE-2022-23305 (CRITICAL) - Apache Log4j 1.2.x
    • Vulnerability Description: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    • The CVE description contains "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default." APM does not configure log4j to use JDBC.
  • CVE-2021-4104 (HIGH) - Apache Log4j 1.2.x
    • Vulnerability Description: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
      • The CVE description contains "Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.". APM does not configure log4j to use JMS.
  • CVE-2019-17571 (CRITICAL) - Apache Log4j 1.2 up to 1.2.17
    • Vulnerability Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
      • The SocketServer class is vulnerable to deserialization of untrusted data. APM does not configure log4j to use socket server.
      • Our modified version log4j-1.2.17-cloudera1-nonet.jar does not contain org.apache.log4j.net package so it does not contain org.apache.log4j.net so the socket server is removed.
  • CVE-2017-5645 (CRITICAL) - Apache Log4j 2.x before 2.8.2
    • Vulnerability Description: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
      • The CVE description contains "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, etc."
      • APM does not configure log4j to use socket server.
      • Our modified version log4j-1.2.17-cloudera1-nonet.jar does not contain org.apache.log4j.net package so it does not contain org.apache.log4j.net so the socket server is removed.

HOTFIX # 84 DE496642 - Security vulnerabilities in Apache log4j 1.2rc1, 1.2.14 and 1.2.17

Additional Information

Apache Log4j Unsupported Version Detection (deprecated) covers  log4j 1.4 not 1.2. (although same resolution)