Apache log4j v2 CVE-2021-44228 / CVE-2021-45046 / CVE-2021-45105



    Description

    log4j is a popular logging library for Java applications. It is used for the high-performance aggregation of log data of an application. An extremely critical threat level (CVE-2021-44228 - CVSS score 10) has been identified for certain versions of this library. Additional vulnerabilities were published later (CVE-2021-45046 and CVE-2021-45105).


    log4j in versions 2.0 to 2.14.1 might allow attackers to execute their program code on the target system and thus compromise the server. This might happen when log4j is used to log an attacker-controlled string such as the HTTP User-Agent. 

    This critical vulnerability therefore potentially affects all Java applications accessible from the Internet that log parts of user requests via log4j. In addition, the critical vulnerability might also be exploited on internal systems if these systems receive or process external data. 


    For further details see https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.html (in German).


    Update as of 12/30/2021:

    On 12/28/2021, an additional vulnerability was disclosed with CVE-2021-44832, which will be closed with log4j v2.17.1. However, this vulnerability is not rated as critical. In particular, an attacker would already have to have write access to the log4j configuration here.

    An update to log4j v2.17.1 will be done with the next releases of the affected SER products.

    If you want to patch your system regarding the CVEs listed below by updating log4j, we recommend to use log4j 2.17.1 right away, which also directly fixes CVE-2021-44832.


    Update as of 12/21/2021:

    On 12/18/2021, another vulnerability in log4j 2.16 (CVE-2021-45105 - CVSS score 7.5) was disclosed, which was closed with log4j 2.17. It represents an opportunity for a Denial of Service attack. It does not allow for remote code execution. 

    For further details see https://logging.apache.org/log4j/2.x/security.html


    Affected SER products (Update as of 12/21/2021):

    In some SER product releases, the log4j library is used in the critical versions specified above. The affected products are listed in the following table. The recommended solution is indicated in the "Solution" column.


    Update as of 12/21/2021:

    New patches or hotfixes containing log4j version 2.17.0 have been provided and added to the table. In addition, only one variant of a configurational workaround is still recommended, which is to be used if a product cannot be updated.

    Product

    Affected Versions

    Solution

    Doxis4 CSB

    V03.04p0 bis V03.04p7

    (Fulltext service only)

    Configurative workaround

    or log4j update to version 2.17.0    

    Doxis4 CSB

    V04.00p0 to V04.01p3

    (FIPS & Fulltext Service only)

    Configurative workaround

    or update to V04.01p3 hotfix 1

    or log4j update to version 2.17.0    

    Doxis4 ERP Connection Service

    Version 1.6.0 only

    Configurative workaround

    or update to V1.6.2    

    Doxis4 XInvoice Converter

    V01.0.0 and V1.1.0

    Configurative workaround

    or update to V1.1.2    

    Doxis4 safeLock

    V02.05p0 to V02.05p4

    Update to hotfix 2, applicable to V02.05 including all patches


    Workaround

    To work around the highly critical vulnerabilities CVE-2021-44228 and CVE-2021-45046 in log4j v2, the only recommended variant left is to remove the JNDILookup class from log4j. This is because the risk level associated with CVE-2021-45046 has been raised. Setting the Java property "-Dlog4j2.formatMsgNoLookups=True" does not fix the problem.


    The recommended variant provides these additional advantages:

    • Easier to automate and uniformly applicable
    • Accommodates custom developments
    • Accommodates Elasticsearch, if affected  [1]
    • Applicable to log4j versions before 2.10

    Please note that the CVE-2021-45105 vulnerability published on 12/18/2021 cannot be fixed with the above workaround. For workarounds to fix this vulnerability, see https://logging.apache.org/log4j/2.x/security.html. However, CVE-2021-45105 does not allow for information leakage or remote code execution, so the configurational workaround is still a quick way to significantly reduce the threat level. This applies in particular if a product cannot be updated at short notice.


    New versions of the affected SER products (Update as of 12/21/2021):

    Patches or hotfixes have been provided for the affected SER products, in which log4j v2 is only used in version 2.17.0. They fix CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

    Product

    Updated to Log4j v2.17 with

    Doxis4 CSB

    V04.01p3 Hotfix1

    Doxis4 ERP Connection Service

    V1.6.2

    Doxis4 XInvoice Converter

    V1.1.2

    Doxis4 safeLock

    Hotfix 2 for V02.05p0 to V02.05p4

    In order to avoid an update for Doxis4 CSB V03.04 and V04.00, it is also possible to only update the log4j v2 contained in Doxis4 Fulltext Service and Doxis4 FIPS to 2.17.0 as described below.


    Update of log4j v2 in Doxis4 CSB FIPS & Fulltext for V03.04 and V04.00 (New on 12/21/2021)


    With older versions as of V03.04, where a full upgrade is not possible or not desired, the log4j2 libraries can be updated individually.

    To do this, proceed as described below. All the files mentioned below should first be backed up and then removed or replaced.


    Doxis4 Fulltext Service (as of V03.04)

    In the lib directory

    replace log4j-api.jar with log4j-api-2.17.0.jar

    replace log4j-core.jar with log4j-core-2.17.0.jar

    replace log4j-1.2-api.jar with log4j-1.2-api-2.17.0.jar


    Doxis4 FIPS (as of V04.00)

    In the lib/commons-impl directory

    replace log4j-api-2.11.2.jar with log4j-api-2.17.0.jar

    replace log4j-core-2.11.2.jar with log4j-core-2.17.0.jar

    In the lib directory

    replace log4j-1.2-api-2.11.2.jar with log4j-1.2-api-2.17.0.jar


    Command-line tool csbcmd (as of V04.00p1)

    In the csbcli\lib\common directory

    delete log4j-api-2.11.2.jar

    delete log4j-core-2.11.2.jar

    This step is optional because the library was shipped but not used by the command-line tool.


    SER products not affected by Log4j v2 security vulnerabilities:


    Java-based products that are not affected by the vulnerability are listed in the following table:

    Product

    Versions

    Doxis4 JavaAPI

    All versions

    Doxis4 webCube

    All versions

    Doxis4 mobileCube

    All version

    Doxis4 XInvoice Converter

    as of V1.1.2

    Doxis4 OrgaTransmitter

    All versions

    Doxis4 CMIS Connector

    All versions

    Doxis4 webDAV Connector

    All versions

    Doxis4 webDAV Connector for ILM

    All versions

    Doxis4 DICOM Connector

    All versions

    Doxis4 safeLock

    < V2.5

    Doxis4 InvoiceMaster Control Plus (DIMCP)

    All versions

    Doxis4 InvoiceMaster Control (DIMC)

    All versions

    Doxis4 Intelligent Invoice Automation

    All versions

    Doxis4 ERP Connection Service

    < V1.6 or >= V1.6.2


    All SER products that are not Java-based (such as Doxis4 Rendition Server, Doxis4 Gateway, Doxis4 Classification & Extraction Service, ...) are not affected by the vulnerability.


    The corresponding downloads for the new versions can be found on your SER Portal FTP server.
    If you do not know how to access the portal, please contact the SERviceDesk.


    [APA, 30.12.2021 14:42]

    Related links

    [1] Elasticsearch is affected on Java 8, but not on Java 11. Details can be found at: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476


    Downloads




    Attached Files
    log4j-1.2-api-2.17.1.jar
    404kb
     log4j-api-2.17.1.jar
    404kb
     log4j-core-2.17.1.jar
    404kb
     Log4j-SicherheitslückeFollowUp_V1.2_DE.pdf
    404kb
     Log4j-VulnerabilityFollowUp_V1.2_EN.pdf
    404kb
    Published