Log4j issues

Questions and Answers on installation, deployment, management, locking, tranasactions of Servoy Application Server

Log4j issues

Postby Harjo » Fri Dec 10, 2021 4:51 pm

Hi Johan,

Has this any imoact on Servoy deployements?
Or older version?

https://tweakers.net/nieuws/190602/erns ... effen.html
Harjo Kompagnie
ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
Harjo
 
Posts: 4321
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Re: Log4j issues

Postby jcompagner » Fri Dec 10, 2021 5:37 pm

we already upped our log4j for the next releases (so from 2022.03 on for sure)
for .12 i have to see because that does mean i need to do a last minute change of libraries..

for older releases i guess in the developer it is fine, but if you deploy you can manually update the WAR file to update to the latest releases of that.
i need to investigate a bit how this exploit can be exploited. what access do you need
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Log4j issues

Postby jcompagner » Fri Dec 10, 2021 5:50 pm

it seems to me if i read it all correctly that it can only be exploited if the attacker can get a log message into the system that has a "jndi:xx" lookup in the message and you are using an older java vm that doesn't protect against certain attacks like that.
besides that you in older releases of servoy use the system property: log4j2.formatMsgNoLookups=true because i think from log4j 2.10 and higher that will also turn that jndi lookup off.
We are already using version of log4j that are higher the 2.10 for years (3 to 4 years)
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Log4j issues

Postby Harjo » Sat Dec 11, 2021 11:02 am

Hi Johan,

if I read here: https://github.com/Cybereason/Logout4Shell

While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk.

So if we for example still running a couple of the latest Servoy 7.4.x and have a higher installed Java >= 8u121, we are out of risk?
Can you please confirm?
Harjo Kompagnie
ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
Harjo
 
Posts: 4321
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Re: Log4j issues

Postby Janssenjos » Sun Dec 12, 2021 9:52 am

jcompagner wrote:we already upped our log4j for the next releases (so from 2022.03 on for sure)
for .12 i have to see because that does mean i need to do a last minute change of libraries..

for older releases i guess in the developer it is fine, but if you deploy you can manually update the WAR file to update to the latest releases of that.
i need to investigate a bit how this exploit can be exploited. what access do you need


Hi Johan,

We still run Servoy 6.0 on some servers with openjdk 11.0.1
Are there risks in that?

And if so, can we fix the log4j version for that server or are we out of luck?
Or do I read in your message, that in older servoy versions the setting log4j2.formatMsgNoLookups=true was always set to true already?

Or are we in the clear, because what I read now at:
https://blog.qualys.com/vulnerabilities ... -log4shell

All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability.


I can't determine the version in servoy 6, but looking at dates I think perhaps it is earlier?
Jos Janssen
Software Developer
Axerrio
http://www.axerrio.com
Janssenjos
 
Posts: 146
Joined: Thu Aug 13, 2009 3:55 pm
Location: Bergen op Zoom

Log4j issues

Postby rvanderburg » Mon Dec 13, 2021 12:47 pm

Log4j vulnerability in Servoy products

Servoy servers make use of Apache Log4j, a widely used Java logging library. Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability which when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The vulnerability found is regarded as critical:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Servoy is aware of this vulnerability and has already fixed this for the next release of Servoy 2021.12 and the next LTS releases for 2020.03 and 2021.03 by providing log4j 2.15.0. Also, all Servoy Cloud instances were immediately secured against this threat.

Servoy versions affected

Any released version of Servoy >= 8.4 is potentially vulnerable. Servoy 8.4 shipped with log4j version 2.11.1 and that was updated in following releases up to 2.14.1. Servoy versions < 8.4 ship with log4j 1.x, which is not affected.

How to remediate the problem

Apache states that setting a system property to the java instance under which the Servoy server operates will fix the issue:

-Dlog4j2.formatMsgNoLookups=true

In a normal Tomcat deployment running as a service this can be added via the Apache Commons Daemon Service Manager (Tomcat properties) in the Java tab. Under "Java options" the above property can be added as a new line to the existing properties.


This will work for all Servoy versions >= 8.4.

Customers using the Tomcat Servoy used to ship and run that as a service should stop the service and add a line such as

wrapper.java.additional.xx=-Dlog4j2.formatMsgNoLookups=true

to the Java parameters in the file application_server\server\wrapper.conf under "Java Additional Parameters", where "xx" is the highest number of the already existing parameters plus one.

The currently known exploit is also prevented by java versions >= 8u121.

Future versions of Servoy and future LTS releases for 2020.03 and 2021.03 will ship with log4j 2.15.0 or later, where the problem has been addressed.

Look into our Servoy Cloud offering, where security issues are closely monitored by experts and resolved for you as soon as they arise. Automatically. Contact your Servoy Salescontact for details on how to obtain a hassle free Servoy deployment.
Attachments
screenshot.png
screenshot.png (23.47 KiB) Viewed 54367 times
Last edited by rvanderburg on Mon Dec 13, 2021 5:32 pm, edited 2 times in total.
rvanderburg
Site Admin
 
Posts: 78
Joined: Wed May 04, 2011 10:28 am

Re: Log4j issues

Postby ROCLASI » Mon Dec 13, 2021 1:52 pm

Keep in mind it's not just Servoy that may be vulnerable.
The Dutch NCSC compiled (and updates) a list of software and their status:
https://github.com/NCSC-NL/log4shell/tree/main/software
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: Log4j issues

Postby mboegem » Mon Dec 13, 2021 2:24 pm

rvanderburg wrote:Older versions of Servoy ship with log4j 1.x, this version is no longer supported and should have been replaced already


I totally agree, but sometimes keeping up with the latest version of Servoy is not as simple.

Any chance that the old log4j library can simply be replaced by the latest version?
Or does this require additional changes in settings files.
Marc Boegem
Solutiative / JBS Group, Partner
• Servoy Certified Developer
• Servoy Valued Professional
• Freelance Developer

Image

Partner of Tower - The most powerful Git client for Mac and Windows
User avatar
mboegem
 
Posts: 1724
Joined: Sun Oct 14, 2007 1:34 pm
Location: Amsterdam

Re: Log4j issues

Postby jcompagner » Mon Dec 13, 2021 2:37 pm

mboegem wrote:
rvanderburg wrote:Older versions of Servoy ship with log4j 1.x, this version is no longer supported and should have been replaced already


I totally agree, but sometimes keeping up with the latest version of Servoy is not as simple.

Any chance that the old log4j library can simply be replaced by the latest version?
Or does this require additional changes in settings files.


yes it needs more changes, i think also web.ml that is generated in our war, you need to update more libs (slf4j) and logging configuration.

The last version that we shipped with Log4J 1.x was Servoy 8.3.3 that was released more then 3 years ago..

so if you are still on older version then that, you really need to check what you need your self, the one the mention: https://logging.apache.org/log4j/1.2/
is not really used, that is only a problem if you are running log4j with a network connector so you can push log messages over the network to server..
I don't think that is enabled by default..
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Log4j issues

Postby jcompagner » Mon Dec 13, 2021 2:40 pm

Also there are question for the smartclient, by default servoy does not push log4j to the client, because we use slf4j (which is a wrapper logging service) and for a smart client we map that to the JDK logger itself.

But there are customers that use 3rd party plugins that have log4j, and then we just install them also on the client, you could if you want configure through the admin page to send over that system property to the smart client.
But do remember if a attacker tries to attach through a smartclient it attacks itself...
(because the smart client is running on its own machine, so anything it does just attacks its own machine...)
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Log4j issues

Postby ROCLASI » Mon Dec 13, 2021 3:08 pm

It looks like the DrMaison plugins use the old version of Log4J (1.2.14). So that should be safe (for this CVE) as well.
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: Log4j issues

Postby sbutler » Mon Dec 13, 2021 6:31 pm

I think there is a very important typo on https://servoy.com/java-log4j-vulnerability/

This:
The currently known exploit is also prevented by java versions >= 8u121.


Should be:
The currently known exploit is also prevented by java versions >= 8u191.
Scott Butler
iTech Professionals, Inc.
SAN Partner

Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
User avatar
sbutler
Servoy Expert
 
Posts: 757
Joined: Sun Jan 08, 2006 7:15 am
Location: Cincinnati, OH

Re: Log4j issues

Postby jcompagner » Mon Dec 13, 2021 6:47 pm

in the real CVE: https://cve.mitre.org/cgi-bin/cvename.c ... 2021-44228

they really mention 121:

"Java 8u121 (see https://www.oracle.com/java/technologie ... notes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false"."
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Log4j issues

Postby sbutler » Mon Dec 13, 2021 7:10 pm

I think 8u121 just fixes JNDI-RMI. 8u191 fixes JNDI-LDAP.

From: https://www-cnblogs-com.translate.goog/ ... r_hl=en-US
Which was linked from https://www.lunasec.io/docs/blog/log4j-zero-day/
Scott Butler
iTech Professionals, Inc.
SAN Partner

Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
User avatar
sbutler
Servoy Expert
 
Posts: 757
Joined: Sun Jan 08, 2006 7:15 am
Location: Cincinnati, OH

Re: Log4j issues

Postby ROCLASI » Mon Dec 13, 2021 7:48 pm

It looks like updating your JVM is no longer an effective mitigation.

Screenshot 2021-12-13 at 18.45.24.png
Screenshot 2021-12-13 at 18.45.24.png (920.79 KiB) Viewed 54239 times

https://twitter.com/marcioalm/status/14 ... 5405875200

Continue focussing patching the root cause.
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Next

Return to Servoy Server

Who is online

Users browsing this forum: No registered users and 1 guest

cron