Log4j vulnerability in Servoy products
Servoy servers make use of Apache Log4j, a widely used Java logging library. Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability which when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The vulnerability found is regarded as critical:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Servoy is aware of this vulnerability and has already fixed this for the next release of Servoy 2021.12 and the next LTS releases for 2020.03 and 2021.03 by providing log4j 2.15.0. Also, all Servoy Cloud instances were immediately secured against this threat.
Servoy versions affected
Any released version of Servoy >= 8.4 is potentially vulnerable. Servoy 8.4 shipped with log4j version 2.11.1 and that was updated in following releases up to 2.14.1. Servoy versions < 8.4 ship with log4j 1.x, which is not affected.
How to remediate the problem
Apache states that setting a system property to the java instance under which the Servoy server operates will fix the issue:
-Dlog4j2.formatMsgNoLookups=true
In a normal Tomcat deployment running as a service this can be added via the Apache Commons Daemon Service Manager (Tomcat properties) in the Java tab. Under "Java options" the above property can be added as a new line to the existing properties.
This will work for all Servoy versions >= 8.4.
Customers using the Tomcat Servoy used to ship and run that as a service should stop the service and add a line such as
wrapper.java.additional.xx=-Dlog4j2.formatMsgNoLookups=true
to the Java parameters in the file application_server\server\wrapper.conf under "Java Additional Parameters", where "xx" is the highest number of the already existing parameters plus one.
The currently known exploit is also prevented by java versions >= 8u121.
Future versions of Servoy and future LTS releases for 2020.03 and 2021.03 will ship with log4j 2.15.0 or later, where the problem has been addressed.
Look into our Servoy Cloud offering, where security issues are closely monitored by experts and resolved for you as soon as they arise. Automatically. Contact your Servoy Salescontact for details on how to obtain a hassle free Servoy deployment.