Menu
I am using Log4j 1.2.16. I am using this with a Maven Selenium testing Java project. I am looking for a solution without upgrading the version of Log4j.
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.16</version>
</dependency>
444
A vulnerability of CVE-2021-4104 was identified within JMSAppender in Apache Log4j 1. x, which is vulnerable to deserialization of untrusted data. This vulnerability allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker.
The most common way to fix a vulnerability is to install a system update or an application patch. The Log4j team has released an upgrade, called Apache Log4j 2, promising to fix existing issues in Logback's architecture (Logback is dubbed as a successor to the Log4j project).
Apache Log4j2 versions from 2.0-beta7 to 2.17. 0 (excluding security fix releases 2.3. 2 and 2.12. 4) are vulnerable to a remote code execution attack.
Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j 1 reached End-Of-Life on August 2015.
Thus, you should update the log4j packages that you use, as soon as possible to mitigate the risks that it could incur! The log4j vulnerability affects all versions from 2.0-beta9 through 2.12.1, and 2.13.0 through 2.14.1, which also includes 2.15.0-rc1. So updating your version isn’t optional — it’s imperative! What exactly is Log4j?
Early mitigation advice, including from the Log4j developers, was to set a property called formatMsgNoLookups in Log4j versions higher than 2.10 to true or an environment variable called LOG4J_FORMAT_MSG_NO_LOOKUPS. This was proven inefficient by the second denial-of-service vulnerability, which works even with this flag enabled.
The log4j vulnerability affects all versions from 2.0-beta9 through 2.12.1, and 2.13.0 through 2.14.1, which also includes 2.15.0-rc1. So updating your version isn’t optional — it’s imperative! What exactly is Log4j? The Problem What is the CVE-2021-44228 log4j vulnerability? How is this Vulnerability exploited? What exactly is Log4j?
The flaw was found in a third-party library that supports Log4j, called Commons Collections. The vulnerability allowed an attacker to construct a malicious appender that could log sensitive information on behalf of another program. If your application uses Log4j (or you’re using another library based on it), then you need to know how to fix it.
Another answer is not correct. There is also a vulnerability for version 1.x. CVE-2021-4104:
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker.
For the mitigation of this vulnerability:
These are the possible mitigations for this flaw for releases version 1.x:
Comment out or remove JMSAppender in the Log4j configuration if it is used
Remove the JMSAppender class from the classpath. For example:
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.
57
Since you're using Log4j 1, the specific vulnerability is not present there. However, note the following from Comments on the log4shell(CVE-2021-44228) vulnerability:
Is log4j 1.x vulnerable?
Given that log4j version 1.x is still very widely deployed, perhaps 10 times more widely than log4j 2.x, we have been receiving a steady stream of questions regarding the vulnerability of log4j version 1.x.As log4j 1.x does NOT offer a JNDI look up mechanism at the message level, it does NOT suffer from CVE-2021-44228.
However, log4j 1.x comes with
JMSAppenderwhich will perform a JNDI lookup if enabled in log4j's configuration file, i.e. log4j.properties or log4j.xml.An attacker who ALREADY has write access the log4j configuration file will need to add
JMSAppenderinto the configuration poisoned with malicious connection parameters. Note that prior legitimate usage ofJMSAppenderis irrelevant to the ability of the attacker to mount a successful attack.Also note that poisoning the configuration file is not enough. The attacker also needs to force log4j to reload its configuration file with the poisoned parameters. Given that log4j 1.x does not offer automatic reloading, the poisoned configuration file will typically only become effective at application restart.
Nevertheless, while not easy, such an attack is not impossible. Thus it makes some sense to make job of the attacker even harder by removing
JMSAppenderaltogether from log4j-1.2.17.jar.In the absence of a new log4j 1.x release, you can remove
JMSAppenderfrom the log4j-1.2.17.jar artifact yourself. Here is the command:zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.classIf you do not have access to 'zip', you can also use the 'jar' command.
#assuming log4j-1.2.17.jar exists in current directory mkdir tmp cd tmp jar xvf ../log4j-1.2.17.jar rm org/apache/log4j/net/JMSAppender.class jar cvf ../log4j-1.2.17-patched.jar .It goes without saying that once log4j-1.2.17.jar is patched, you would need to deploy it.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
