How to Manually Patch log4j CVE (CVE-2021-44832),(CVE-2021-45105)
Log4j is the open source library we use for logging in the Java and JAVA RESTful engines.
This vulnerability only affects the JAVA and JAVA RESTful engines.
The .NET, .NET RESTful engines and the Windward Designer (f.k.a. Autotag) are NOT affected by this vulnerability since this is a JAVA specific dependency.
Windward Studios is actively responding to the latest vulnerabilities in the Apache Log4j 2 Java library. A previous release 21.5.2 is available for the critical CVEs reported earlier this month.
We have determined that Version 20.2.0 of the JAVA and JAVA RESTful engines and subsequent versions (including the recent 21.5.2 release) include a vulnerable log4j library version (2.8.0, 2.16.0). Windward JAVA Engines previous to version 20.2.0 are NOT affected by these log4j vulnerabilities.
These two new vulnerabilities are of moderate severity and can be manually mitigated. They will be patched in the next quarterly release of the Windward Designer and Engines.
"CVE-2021-44832", affecting Apache Log4j software library versions 2.0-beta9 to 2.17.0. "CVE-2021-44832" allows a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
"CVE-2021-45105" affects Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
How to patch CVE-2021-44832 vulnerability
- You may mitigate this vulnerability by upgrading to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.
How to patch CVE-2021-45105 vulnerability
Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
Alternatively, this infinite recursion issue can be mitigated in configuration:
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
- Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.
0 Comments
Add your comment