Koozali.org: home of the SME Server

critical issue regarding log4j

Offline Jean-Philippe Pialasse

  • *
  • 2,166
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
critical issue regarding log4j
« on: December 12, 2021, 10:08:12 AM »
Hi all,

if you are using:
elasticsearch
unifi controller
madsonic / subsonic
minecraft

or any other java based application that is potentially using log4j, please stop them and disable them then find a a way to upgrade them.

see

https://logging.apache.org/log4j/2.x/security.html


workaround for unifi if not able to upgrade

https://community.ui.com/questions/UniFi-Controller-security-concern-zero-day-Log4j-exploit/007103a6-823b-4316-ae76-17942539208c




Offline Jean-Philippe Pialasse

  • *
  • 2,166
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: critical issue regarding log4j
« Reply #1 on: December 13, 2021, 12:11:32 AM »
Unify, either you are able to upgrade to latest 6-5-54 (on SME10) : https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1

either you have to update the jar for log4j following this procedure, example for 5.12.72 version of Unifi:

Code: [Select]
service unifi stop
cd /opt/UniFi/lib/
mv log4j-api-2.11.1.jar log4j-api-2.11.1.jar.old
mv log4j-core-2.11.1.jar log4j-core-2.11.1.jar.old
mv log4j-slf4j-impl-2.11.1.jar log4j-slf4j-impl-2.11.1.jar.old
wget https://dlcdn.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.tar.gz --no-check-certificate
tar -xzf  apache-log4j-2.15.0-bin.tar.gz apache-log4j-2.15.0-bin/log4j-api-2.15.0.jar apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar apache-log4j-2.15.0-bin/log4j-slf4j-impl-2.15.0.jar
chown -R ubnt: apache-log4j-2.15.0-bin
ln -s apache-log4j-2.15.0-bin/log4j-api-2.15.0.jar log4j-api-2.11.1.jar
ln -s apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar log4j-core-2.11.1.jar
ln -s apache-log4j-2.15.0-bin/log4j-slf4j-impl-2.15.0.jar  log4j-slf4j-impl-2.11.1.jar
service unifi start
« Last Edit: December 13, 2021, 04:59:33 AM by Jean-Philippe Pialasse »

Offline Jean-Philippe Pialasse

  • *
  • 2,166
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: critical issue regarding log4j
« Reply #2 on: December 13, 2021, 05:41:29 AM »
elasticsearch please upgrade to latest 7.x  but if you can not :



Code: [Select]
# rpm -ql elasticsearch |grep log4j
/etc/elasticsearch/log4j2.properties
/usr/share/elasticsearch/lib/log4j-1.2-api-2.9.1.jar
/usr/share/elasticsearch/lib/log4j-api-2.9.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.9.1.jar

Code: [Select]
cd /usr/share/elasticsearch/lib/
wget https://dlcdn.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.tar.gz --no-check-certificate
mv log4j-1.2-api-2.9.1.jar log4j-1.2-api-2.9.1.jar.old
mv log4j-api-2.9.1.jar log4j-api-2.9.1.jar.old
mv log4j-core-2.9.1.jar log4j-core-2.9.1.jar.old
tar -xvf apache-log4j-2.15.0-bin.tar.gz \
apache-log4j-2.15.0-bin/log4j-1.2-api-2.15.0.jar \
apache-log4j-2.15.0-bin/log4j-api-2.15.0.jar \
apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar
chown root: -R apache-log4j-2.15.0-bin
ln -s apache-log4j-2.15.0-bin/log4j-1.2-api-2.15.0.jar log4j-1.2-api-2.9.1.jar
ln -s apache-log4j-2.15.0-bin/log4j-api-2.15.0.jar log4j-api-2.9.1.jar
ln -s apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar log4j-core-2.9.1.jar


Offline mmccarn

  • *
  • 2,574
  • +6/-0
Re: critical issue regarding log4j
« Reply #3 on: December 13, 2021, 01:30:35 PM »
elasticsearch please upgrade to latest 7.x  but if you can not :

Thanks.  Your notes helped me get log4j updated on an Ubuntu system running wazuh

Offline Jean-Philippe Pialasse

  • *
  • 2,166
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: critical issue regarding log4j
« Reply #4 on: December 15, 2021, 08:10:41 PM »
one more security flaw has been discovered



https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046

more info soon

Offline Jean-Philippe Pialasse

  • *
  • 2,166
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: critical issue regarding log4j
« Reply #5 on: December 16, 2021, 04:58:51 AM »
elastic search

Code: [Select]
cd /usr/share/elasticsearch/lib/
service elasticsearch stop

if not already modified
Code: [Select]
mv log4j-1.2-api-2.9.1.jar log4j-1.2-api-2.9.1.jar.old
mv log4j-api-2.9.1.jar log4j-api-2.9.1.jar.old
mv log4j-core-2.9.1.jar log4j-core-2.9.1.jar.old
or if already modified as previous posts
Code: [Select]
unlink log4j-1.2-api-2.9.1.jar; unlink  log4j-api-2.9.1.jar; unlink log4j-core-2.9.1.jar



then

Code: [Select]
wget https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz --no-check-certificate
tar -xvf apache-log4j-2.16.0-bin.tar.gz \
apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
chown root: -R apache-log4j-2.15.0-bin
ln -s apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar log4j-1.2-api-2.9.1.jar
ln -s apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar log4j-api-2.9.1.jar
ln -s apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar log4j-core-2.9.1.jar
service elasticsearch start




for unifi:

Code: [Select]
service unifi stop
cd /opt/UniFi/lib/
then  if not already modified
Code: [Select]
mv log4j-api-2.11.1.jar log4j-api-2.11.1.jar.old
mv log4j-core-2.11.1.jar log4j-core-2.11.1.jar.old
mv log4j-slf4j-impl-2.11.1.jar log4j-slf4j-impl-2.11.1.jar.old

if already modified
Code: [Select]
unlink log4j-api-2.11.1.jar
unlink log4j-core-2.11.1.jar
unlink log4j-slf4j-impl-2.11.1.jar

Code: [Select]
wget https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz --no-check-certificate
tar -xzf  apache-log4j-2.16.0-bin.tar.gz apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar apache-log4j-2.16.0-bin/log4j-slf4j-impl-2.16.0.jar
chown -R ubnt: apache-log4j-2.16.0-bin
ln -s apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar log4j-api-2.11.1.jar
ln -s apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar log4j-core-2.11.1.jar
ln -s apache-log4j-2.16.0-bin/log4j-slf4j-impl-2.16.0.jar  log4j-slf4j-impl-2.11.1.jar
service unifi start


for madsonic 5.x
Code: [Select]
service madsonic stop
cd /usr/share/madsonic/
unzip -t madsonic.war |grep log4j
    testing: WEB-INF/lib/log4j-1.2.17.jar   OK
    testing: WEB-INF/lib/slf4j-log4j12-1.7.2.jar   OK
    testing: WEB-INF/classes/log4j.properties   OK
rm WEB-INF -rf
jar -xvf madsonic.war  WEB-INF/lib/log4j-1.2.17.jar
cd WEB-INF/lib/
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
cd ../../
jar -uvf madsonic.war WEB-INF
rm -rf /var/madsonic/jetty/3760/webapp/WEB-INF/lib/log4j-1.2.17.jar
cp -a WEB-INF/lib/log4j-1.2.17.jar /var/madsonic/jetty/3760/webapp/WEB-INF/lib/log4j-1.2.17.jar
service madsonic start
according to https//logging.apache.org/log4j/2.x/security.html
Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability. (CVE-2021-45046)
Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
mitigationa ccording to https://access.redhat.com/security/cve/CVE-2021-4104

madsonic 6
would need
Code: [Select]
systemctl stop madsonic
cd /usr/share/madsonic/
unzip -t madsonic.war |grep log4j
    testing: WEB-INF/lib/slf4j-log4j12-1.7.22.jar   OK
    testing: WEB-INF/lib/log4j-1.2-api-2.7.jar   OK
    testing: WEB-INF/lib/log4j-1.2.17.jar   OK
    testing: WEB-INF/lib/log4j-api-2.7.jar   OK
    testing: WEB-INF/lib/log4j-core-2.7.jar   OK
    testing: WEB-INF/classes/log4j.properties   OK
    testing: WEB-INF/classes/log4j2.xml   OK
# patch 1.2
rm WEB-INF -rf
jar -xvf madsonic.war  WEB-INF/lib/log4j-1.2.17.jar
cd WEB-INF/lib/
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
cd ../../
# change 2.x
wget https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz --no-check-certificate
tar -xvf apache-log4j-2.16.0-bin.tar.gz \
apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
mv apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar WEB-INF/lib/log4j-1.2-api-2.7.jar
mv apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar WEB-INF/lib/log4j-api-2.7.jar
mv apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar WEB-INF/lib/log4j-core-2.7.jar
touch  WEB-INF/lib/log4j-2.7patchedTo2.16.0
touch WEB-INF/lib/log4j-1.2patched
#and rebuild
jar -uvf madsonic.war WEB-INF
# update the expanded version
rm -rf /var/madsonic/jetty/
systemctl start madsonic