Menu
I've got a very old version of Solr and I've been trying to see if it is affected by the Log4Shell vulnerability that everybody is freaking out about (CVE-2021-44228).
The CVE only seems to apply to later versions, but a colleague doesn't buy it, so I'm trying to figure out the truth.
588
Details of CVE-2021-4104 JMSAppender, in log4j 1.2 version, is vulnerable to deserialization of untrusted data if the attacker has the 'write' permissions to the log4j configuration.
The most common way to fix a vulnerability is to install a system update or an application patch. The Log4j team has released an upgrade, called Apache Log4j 2, promising to fix existing issues in Logback's architecture (Logback is dubbed as a successor to the Log4j project).
Answer: No, NetBackup clients do not use log4j 2. x, and are NOT vulnerable to CVE-2021-44228 or CVE-2021-45046.
Log4j 1. x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured.
I'm about 95% sure this is fine for older versions of Log4j. Three reasons:
I'm on version 1.2. I found the Log4j JAR file on my system, unzipped it, and looked for anything mentioning JNDI:
find / -iname '*log4j*'
unzip /etc/opt/jetty/lib/ext/log4j-1.2.17.jar | grep -i jndi
That brought back nothing, so I feel pretty good there. The CVE says that you'd normally find something by looking in the JAR file. It suggests you do:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
That wouldn't do anything for me.
I dug through the changelog for Log4j. It says for version 2.0-beta9:
Add JNDILookup plugin. Fixes LOG4J2-313. Thanks to Woonsan Ko.
So I think it's safe to say that JNDI didn't exist in Log4j before then. The Jira ticket that added it is here.
I checked the old manual for version 1.2 and compared it to the latest version. In the latest, there's a section for "Lookups" that explains how JNDI works. In version 1.2, that section just isn't there.
I think it's...fine?
158
answered Sep 28 '22 08:09
Ralph Goers (Apache Log4J maintainer) said:
There are two aspects to this vulnerability.
- Log4j 2’s lookup mechanism (property resolver) was being performed on the message text being logged. This meant that if applications are logging user input (almost everyone does) a user could cause the Lookup mechanism to be invoked.
- Log4j 2 supports JNDI in various places, including as a lookup. JNDI itself is horribly insecure. The combined effect of these is what makes it a critical severity issue for Log4j 2. Log4j 1, as well as Logback, both have components that use JNDI and neither do anything to limit the JNDI vulnerabilities. In the case of Log4j 1 it is the JMS Appender. The exposure is smaller but it is still there. If someone can gain access to the logging configuration they could conceivably cause bad things to happen.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
