Bug 2031667 (CVE-2021-4104) - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [NEEDINFO]
Summary: CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-4104
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2032160 2031674 2031675 2031676 2031677 2031679 2032100 2032101 2032102 2032151 2032152 2032153 2032154 2032155 2032156 2032157 2032158 2032159 2032161 2032162 2032163 2032164 2032166 2032182 2032185 2032309 2032310 2032311 2032312 2032313 2032314 2032315 2032316 2032317 2032318 2032319 2032320 2032321 2032322 2032323 2033534
Blocks: 2030930
TreeView+ depends on / blocked
 
Reported: 2021-12-13 07:54 UTC by Paramvir jindal
Modified: 2022-04-19 20:38 UTC (History)
159 users (show)

Fixed In Version: log4j 2.15.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JNDI LDAP endpoint.
Clone Of:
Environment:
Last Closed: 2021-12-22 22:10:56 UTC
gmalinko: needinfo-
aileenc: needinfo-
ggrzybek: needinfo? (ggaughan)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5107 0 None None None 2021-12-16 15:00:35 UTC
Red Hat Product Errata RHSA-2021:5141 0 None None None 2021-12-16 07:50:15 UTC
Red Hat Product Errata RHSA-2021:5148 0 None None None 2021-12-15 20:09:49 UTC
Red Hat Product Errata RHSA-2021:5183 0 None None None 2021-12-16 21:16:14 UTC
Red Hat Product Errata RHSA-2021:5184 0 None None None 2021-12-16 21:40:44 UTC
Red Hat Product Errata RHSA-2021:5186 0 None None None 2021-12-16 22:36:35 UTC
Red Hat Product Errata RHSA-2021:5206 0 None None None 2021-12-20 09:32:00 UTC
Red Hat Product Errata RHSA-2021:5269 0 None None None 2021-12-22 21:26:13 UTC
Red Hat Product Errata RHSA-2022:0289 0 None None None 2022-01-26 14:51:59 UTC
Red Hat Product Errata RHSA-2022:0290 0 None None None 2022-01-26 14:49:38 UTC
Red Hat Product Errata RHSA-2022:0291 0 None None None 2022-01-26 14:50:54 UTC
Red Hat Product Errata RHSA-2022:0294 0 None None None 2022-01-26 14:45:56 UTC
Red Hat Product Errata RHSA-2022:0430 0 None None None 2022-02-03 14:04:50 UTC
Red Hat Product Errata RHSA-2022:0435 0 None None None 2022-02-03 18:24:10 UTC
Red Hat Product Errata RHSA-2022:0436 0 None None None 2022-02-03 18:30:31 UTC
Red Hat Product Errata RHSA-2022:0437 0 None None None 2022-02-03 18:44:40 UTC
Red Hat Product Errata RHSA-2022:0438 0 None None None 2022-02-03 18:49:53 UTC
Red Hat Product Errata RHSA-2022:0444 0 None None None 2022-02-07 13:42:03 UTC
Red Hat Product Errata RHSA-2022:0445 0 None None None 2022-02-07 14:23:44 UTC
Red Hat Product Errata RHSA-2022:0446 0 None None None 2022-02-07 13:44:04 UTC
Red Hat Product Errata RHSA-2022:0447 0 None None None 2022-02-07 13:53:49 UTC
Red Hat Product Errata RHSA-2022:0448 0 None None None 2022-02-07 13:52:46 UTC
Red Hat Product Errata RHSA-2022:0449 0 None None None 2022-02-07 13:48:38 UTC
Red Hat Product Errata RHSA-2022:0450 0 None None None 2022-02-07 14:47:57 UTC
Red Hat Product Errata RHSA-2022:0475 0 None None None 2022-02-08 16:57:20 UTC
Red Hat Product Errata RHSA-2022:0497 0 None None None 2022-02-09 13:11:23 UTC
Red Hat Product Errata RHSA-2022:0507 0 None None None 2022-02-10 17:26:51 UTC
Red Hat Product Errata RHSA-2022:0524 0 None None None 2022-02-14 17:07:12 UTC
Red Hat Product Errata RHSA-2022:0527 0 None None None 2022-02-14 17:31:16 UTC
Red Hat Product Errata RHSA-2022:0553 0 None None None 2022-02-15 18:54:58 UTC
Red Hat Product Errata RHSA-2022:0661 0 None None None 2022-02-23 20:00:57 UTC
Red Hat Product Errata RHSA-2022:1296 0 None None None 2022-04-11 12:56:47 UTC
Red Hat Product Errata RHSA-2022:1297 0 None None None 2022-04-11 12:58:16 UTC
Red Hat Product Errata RHSA-2022:1299 0 None None None 2022-04-11 13:01:04 UTC

Description Paramvir jindal 2021-12-13 07:54:06 UTC
A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender.

In 1.x you will find that there are two places where lookups are done - that is JMSAppender.java:207 and JMSAppender.java:222 - if you set TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a" JNDI will do exactly the same thing it does for 2.x - so 1.x is vulnerable, just attack vector is "safer" as it depends on configuration rather than user input

This flaw in Log4j 2.x is tracked via CVE-2021-44228

Comment 3 Huzaifa S. Sidhpurwala 2021-12-13 08:25:44 UTC
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2031679]

Comment 5 Torstein Hansen 2021-12-13 09:24:22 UTC
https://github.com/apache/logging-log4j2/pull/608
Note that log4j 1.x is End of Life and has other security vulnerabilities that will not be fixed
https://logging.apache.org/log4j/1.2/
https://www.cvedetails.com/cve/CVE-2019-17571/

Comment 9 Yadnyawalk Tale 2021-12-13 12:49:18 UTC
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it does not make use of JMSAppender method and use logback framework for logging.

Comment 14 Simone 2021-12-13 17:09:23 UTC
Hi there,

I don't understand how this vulnerability can be considered like the original one in 2.x.

1) you need to gain access to the log4j.properties file
2) you can execute a command only by putting it in the properties TopicBindingName or TopicConnectionFactoryBindingName. For example:
log4j.appender.jms=org.apache.log4j.net.JMSAppender
log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.ActiveMQInitialContextFactory
log4j.appender.jms.ProviderURL=tcp://localhost:61616
>>>log4j.appender.jms.TopicBindingName=ldap://host:port/a
>>>log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://host:port/a

So it's not input-driven like the CVE-2021-44228. In a situation like this, I don't understand how an attacker can (as written in the title) do a "Remote code execution". In the worst scenario it can be a "local code execution" after he already gained server access...am I wrong? Thank you!

Comment 23 Paramvir jindal 2021-12-14 05:20:24 UTC
In reply to comment #14:
> Hi there,
> 
> I don't understand how this vulnerability can be considered like the
> original one in 2.x.
> 
> 1) you need to gain access to the log4j.properties file
> 2) you can execute a command only by putting it in the properties
> TopicBindingName or TopicConnectionFactoryBindingName. For example:
> log4j.appender.jms=org.apache.log4j.net.JMSAppender
> log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.
> ActiveMQInitialContextFactory
> log4j.appender.jms.ProviderURL=tcp://localhost:61616
> >>>log4j.appender.jms.TopicBindingName=ldap://host:port/a
> >>>log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://host:port/a
> 
> So it's not input-driven like the CVE-2021-44228. In a situation like this,
> I don't understand how an attacker can (as written in the title) do a
> "Remote code execution". In the worst scenario it can be a "local code
> execution" after he already gained server access...am I wrong? Thank you!

that is correct. I have updated the CVE description just now to include as much details as possible regarding the conditions required to exploit the flaw.

Comment 24 Paramvir jindal 2021-12-14 06:48:44 UTC
Marking Red Hat EAP-XP 3 as not affected; the product does not directly ship log4j, but consumes artifacts from base EAP.

Comment 25 Paramvir jindal 2021-12-14 07:06:14 UTC
Marking JDG-8 as not affected as it does not ship log4j version 1 anywhere with its distribution.

Comment 32 Simone 2021-12-14 08:21:00 UTC
(In reply to Paramvir jindal from comment #23)
> In reply to comment #14:
> > Hi there,
> > 
> > I don't understand how this vulnerability can be considered like the
> > original one in 2.x.
> > 
> > 1) you need to gain access to the log4j.properties file
> > 2) you can execute a command only by putting it in the properties
> > TopicBindingName or TopicConnectionFactoryBindingName. For example:
> > log4j.appender.jms=org.apache.log4j.net.JMSAppender
> > log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.
> > ActiveMQInitialContextFactory
> > log4j.appender.jms.ProviderURL=tcp://localhost:61616
> > >>>log4j.appender.jms.TopicBindingName=ldap://host:port/a
> > >>>log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://host:port/a
> > 
> > So it's not input-driven like the CVE-2021-44228. In a situation like this,
> > I don't understand how an attacker can (as written in the title) do a
> > "Remote code execution". In the worst scenario it can be a "local code
> > execution" after he already gained server access...am I wrong? Thank you!
> 
> that is correct. I have updated the CVE description just now to include as
> much details as possible regarding the conditions required to exploit the
> flaw.

Thank you Paramvir! In this case, the only real solution would be to give proper read/write permission to our application files, right? If I simply update my log4j to the latest fixed version (2.15), I would still be vulnerable, since an attacker that has gained access to my server can also replace my log4j jar with a previous version. what do you think? Thanks again!

Comment 41 Ugo Bellavance 2021-12-14 11:16:57 UTC
Please add status for Red Hat Enterprise Linux 6, which is still covered by ELS.
Thanks,

Comment 43 Mark Little 2021-12-14 11:58:01 UTC
I agree with Carlo de Wolf and others: there is no log4j v2 exploit here. Other vendors, such as Apache, Snyk, Microsoft, Atlassian etc. have reviewed log4j v1 too, specifically with the JMSAppender concern. Including a couple of references:

https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

"We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place: 

The JMS Appender is configured in the application's Log4j configuration
The javax.jms API is included in the application's CLASSPATH
The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime "

And https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv

"1. As *log4j 1.x* does NOT offer a JNDI look up mechanism at the message level,* it does NOT suffer from CVE-2021-44228.*
2. However, log4j 1.x comes with JMSAppender which will perform JNDI lookup if enabled in log4j's configuration file, i.e. *log4j.properties* or *log4j.xml*.
3. In the absense of a new log4j 1.x release, you can remove JMSAppender from *log4j-1.2.17.jar* artifact yourself. (commands are listed in the page <http://slf4j.org/log4shell.html>)
4. Therefore, in addition to hardening KNOWN vulnerable components in aforementioned frameworks, we also recommend that *configuration files be protected against write access*. In Unix-speak they should be *read-only for all users, including the owner*. If possible, they should also be monitored against changes and unauthorized manipulation."

Comment 50 Mike Murphy 2021-12-15 17:17:48 UTC
Can we confirm whether or not we'll provide an update for verion 1.x ? Specifically  1.2.17? Or will this be considered not affected?

Comment 51 errata-xmlrpc 2021-12-15 20:09:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:5148 https://access.redhat.com/errata/RHSA-2021:5148

Comment 55 errata-xmlrpc 2021-12-16 07:50:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5141 https://access.redhat.com/errata/RHSA-2021:5141

Comment 57 errata-xmlrpc 2021-12-16 15:00:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:5107 https://access.redhat.com/errata/RHSA-2021:5107

Comment 58 Ted Jongseok Won 2021-12-16 16:10:47 UTC
In reply to comment #50:
> Can we confirm whether or not we'll provide an update for verion 1.x ?
> Specifically  1.2.17? Or will this be considered not affected?

Providing or using a patched log4j 1.x version is at the discretion of the particular affected product's team.

Note: 
This is a moderate impact CVE and may be out of support scope for some products listed, these are detailed on our life-cycle pages - https://access.redhat.com/support/policy/updates/jboss_notes/

Comment 65 errata-xmlrpc 2021-12-16 21:16:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:5183 https://access.redhat.com/errata/RHSA-2021:5183

Comment 66 errata-xmlrpc 2021-12-16 21:40:36 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:5184 https://access.redhat.com/errata/RHSA-2021:5184

Comment 67 errata-xmlrpc 2021-12-16 22:36:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5186 https://access.redhat.com/errata/RHSA-2021:5186

Comment 69 errata-xmlrpc 2021-12-20 09:31:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support
  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support
  Red Hat Enterprise Linux 7

Via RHSA-2021:5206 https://access.redhat.com/errata/RHSA-2021:5206

Comment 72 errata-xmlrpc 2021-12-22 21:26:05 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2021:5269 https://access.redhat.com/errata/RHSA-2021:5269

Comment 73 Product Security DevOps Team 2021-12-22 22:10:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4104

Comment 83 errata-xmlrpc 2022-01-26 14:45:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0294 https://access.redhat.com/errata/RHSA-2022:0294

Comment 84 errata-xmlrpc 2022-01-26 14:49:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0290 https://access.redhat.com/errata/RHSA-2022:0290

Comment 85 errata-xmlrpc 2022-01-26 14:50:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0291 https://access.redhat.com/errata/RHSA-2022:0291

Comment 86 errata-xmlrpc 2022-01-26 14:51:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0289 https://access.redhat.com/errata/RHSA-2022:0289

Comment 87 errata-xmlrpc 2022-02-03 14:04:43 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.9

Via RHSA-2022:0430 https://access.redhat.com/errata/RHSA-2022:0430

Comment 88 errata-xmlrpc 2022-02-03 18:24:04 UTC
This issue has been addressed in the following products:

  EAP 7.4 log4j async

Via RHSA-2022:0435 https://access.redhat.com/errata/RHSA-2022:0435

Comment 89 errata-xmlrpc 2022-02-03 18:30:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:0436 https://access.redhat.com/errata/RHSA-2022:0436

Comment 90 errata-xmlrpc 2022-02-03 18:44:32 UTC
This issue has been addressed in the following products:

  EAP 6.4 log4j async

Via RHSA-2022:0437 https://access.redhat.com/errata/RHSA-2022:0437

Comment 91 errata-xmlrpc 2022-02-03 18:49:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2022:0438 https://access.redhat.com/errata/RHSA-2022:0438

Comment 92 errata-xmlrpc 2022-02-07 13:41:55 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0444 https://access.redhat.com/errata/RHSA-2022:0444

Comment 93 errata-xmlrpc 2022-02-07 13:43:55 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2022:0446 https://access.redhat.com/errata/RHSA-2022:0446

Comment 94 errata-xmlrpc 2022-02-07 13:48:30 UTC
This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0449 https://access.redhat.com/errata/RHSA-2022:0449

Comment 96 errata-xmlrpc 2022-02-07 13:52:36 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448

Comment 97 errata-xmlrpc 2022-02-07 13:53:40 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447

Comment 98 errata-xmlrpc 2022-02-07 14:23:36 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0445 https://access.redhat.com/errata/RHSA-2022:0445

Comment 99 errata-xmlrpc 2022-02-07 14:47:49 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0450 https://access.redhat.com/errata/RHSA-2022:0450

Comment 100 errata-xmlrpc 2022-02-08 16:57:12 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:0475 https://access.redhat.com/errata/RHSA-2022:0475

Comment 101 errata-xmlrpc 2022-02-09 13:11:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP1

Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497

Comment 102 errata-xmlrpc 2022-02-10 17:26:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP2

Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507

Comment 103 errata-xmlrpc 2022-02-14 17:07:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2022:0524 https://access.redhat.com/errata/RHSA-2022:0524

Comment 104 errata-xmlrpc 2022-02-14 17:31:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2022:0527 https://access.redhat.com/errata/RHSA-2022:0527

Comment 105 errata-xmlrpc 2022-02-15 18:54:50 UTC
This issue has been addressed in the following products:

  Red Hat Fuse/AMQ 6.3.20

Via RHSA-2022:0553 https://access.redhat.com/errata/RHSA-2022:0553

Comment 106 errata-xmlrpc 2022-02-23 20:00:48 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.10.1

Via RHSA-2022:0661 https://access.redhat.com/errata/RHSA-2022:0661

Comment 107 errata-xmlrpc 2022-04-11 12:56:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296

Comment 108 errata-xmlrpc 2022-04-11 12:58:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297

Comment 109 errata-xmlrpc 2022-04-11 13:00:55 UTC
This issue has been addressed in the following products:

  EAP 7.4.4 release

Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299


Note You need to log in before you can comment on or make changes to this bug.