Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigations for Log4J CVE-2021-44228 #209

Merged
merged 5 commits into from
Jan 13, 2022
Merged

Mitigations for Log4J CVE-2021-44228 #209

merged 5 commits into from
Jan 13, 2022

Conversation

alxp
Copy link
Contributor

@alxp alxp commented Dec 13, 2021
edited
Loading

  • Github Issue

Islandora/documentation#2007

Taking a number of steps to close up the Shell4J vulnurability on fresh and existingsystems provisioned via Ansible.

  • Other Relevant Links (Google Groups discussion, related pull requests,
    Release pull requests, etc.)

https://logging.apache.org/log4j/2.x/security.html

What does this Pull Request do?

As per the Apache notes in the Log4J CVE, setting an environment variable will turn off the remote lookup feature of Log4J's string formatter. This update sets this as a global environment on all servers.

Since there is some evidence this may not be sufficient, this PR also scans the filesystem and removes the JndiLookup class from any 2.x log4j-core JARs it finds.

What's new?

Added a task to set values in the /etc/environment global variable file.

Adds a variable list in the inventory that currently contains just this one needed value.

Tasks in the Solr role to scan for vulnurable Log4J Core JARs.

  • Does this change require documentation to be updated?
    • No
  • Does this change add any new dependencies?
    • No
  • Does this change require any other modifications to be made to the repository
    • No
  • Could this change impact execution of existing code?
    • No

How should this be tested?

Either a fresh or existing Islandora instance created from a playbook, run this playbook.

Log in via SSH.

  1. Check that the environment variable is set by running 'printing' and looking for LOG4J_FORMAT_MSG_NO_LOOKUPS is 'true'

  2. Unzip a log4j JAR and verify that the JndiLookup.class file is gone:

Note that this was done after running provision on an existing site so the solr version is 8.6, not the current 8.11.1 which ships with a newer Log4J core JAR.

vagrant@islandora8:~/tmp$ unzip -q /opt/solr-8.6.0/server/lib/ext/log4j-core-2.13.2.jar
vagrant@islandora8:~/tmp$ cd org/apache/logging/log4j/core/lookup/
vagrant@islandora8:~/tmp/org/apache/logging/log4j/core/lookup$ ls *Jndi*
ls: cannot access '*Jndi*': No such file or directory

Additional Notes:

All instances of log4j*.jar on the Vagrant box are either 1.x (not great but not vulnerable to this particular exploit) or are 2.13, unless provisioned fresh since the Solr version bump to 8.11.1.

root@islandora8:/# sudo find . -name "log4j*.jar"
./opt/solr-8.6.0/contrib/prometheus-exporter/lib/log4j-core-2.13.2.jar
./opt/solr-8.6.0/contrib/prometheus-exporter/lib/log4j-slf4j-impl-2.13.2.jar
./opt/solr-8.6.0/contrib/prometheus-exporter/lib/log4j-api-2.13.2.jar
./opt/solr-8.6.0/server/lib/ext/log4j-web-2.13.2.jar
./opt/solr-8.6.0/server/lib/ext/log4j-core-2.13.2.jar
./opt/solr-8.6.0/server/lib/ext/log4j-slf4j-impl-2.13.2.jar
./opt/solr-8.6.0/server/lib/ext/log4j-1.2-api-2.13.2.jar
./opt/solr-8.6.0/server/lib/ext/log4j-api-2.13.2.jar
./opt/fits-1.4.1/lib/droid/log4j-1.2.13.jar
./opt/fits-1.4.1/lib/log4j-1.2.17.jar
./opt/activemq/lib/optional/log4j-1.2.17.jar
./var/lib/tomcat9/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar
./var/lib/tomcat9/webapps/fits/WEB-INF/lib/log4j-1.2.17.jar
./root/.gradle/wrapper/dists/gradle-5.0-all/4mxuau4c77thx8zlvtz4xiez7/gradle-5.0/samples/userguide/antMigration/fileDeps/groovy/libs/log4j-1.2.8.jar
./root/.gradle/wrapper/dists/gradle-5.0-all/4mxuau4c77thx8zlvtz4xiez7/gradle-5.0/samples/userguide/antMigration/fileDeps/kotlin/libs/log4j-1.2.8.jar

The change in the tomcat role is to fix a deprecation in Ansible's syntax that was preventing me from running the playbook on my homebrew's Ansible v. 2.12.

Interested parties

, @Islandora-Devops/committers

@alxp alxp mentioned this pull request Dec 13, 2021
Closed
@alxp
Copy link
Contributor Author

alxp commented Dec 17, 2021

Updated with new release of Solr that includes Log4j 2.1.16

@alxp alxp changed the title Fix for Log4J CVE-2021-44228 - Global environment variable. Fix for Log4J CVE-2021-44228 - Global environment variable. and Solr update Dec 17, 2021
@alxp alxp changed the title Fix for Log4J CVE-2021-44228 - Global environment variable. and Solr update Mitigations for Log4J CVE-2021-44228 - Global environment variable. and Solr update Jan 6, 2022
@alxp alxp changed the title Mitigations for Log4J CVE-2021-44228 - Global environment variable. and Solr update Mitigations for Log4J CVE-2021-44228 Jan 6, 2022
@alxp alxp assigned alxp and whikloj Jan 12, 2022
whikloj
whikloj approved these changes Jan 13, 2022
View reviewed changes
Copy link
Member

@whikloj whikloj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@whikloj whikloj merged commit 3e502a3 into dev Jan 13, 2022
@whikloj whikloj deleted the shell4j-fix branch January 13, 2022 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whikloj whikloj whikloj approved these changes

Assignees

@alxp alxp

@whikloj whikloj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alxp @whikloj