GridGain Systems Support

CVE-2020-1963: Apache Ignite access to file system through predefined H2 SQL functions

Severity: Critical

Vendor:
GridGain Systems

Versions Affected:

• GridGain Professional Edition 2.4.16 and earlier, 2.5.18 and earlier
• GridGain Community Edition 8.7.14 and earlier
• GridGain Enterprise Edition 8.4.16 and earlier, 8.5.18 and earlier, 8.7.14 and earlier
• GridGain Ultimate Edition 8.4.16 and earlier, 8.5.18 and earlier, 8.7.14 and earlier

Impact:
An attacker can use embedded H2 SQL functions to access a filesystem for write and read.

Description:
GridGain uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

Mitigation:
Users of affected versions should upgrade to newer versions:

• GridGain Professional Edition 2.4.17 or later, 2.5.19 or later
• GridGain Community Edition 8.7.15 or later
• GridGain Enterprise Edition 8.4.17 or later, 8.5.19 or later, 8.7.15 or later
• GridGain Ultimate Edition 8.4.17 or later, 8.5.19 or later, 8.7.15 or later

In case SQL is not used at all the issue could be mitigated by removing ignite-indexing.jar from GridGain classpath.
Risk could be partially mitigated by using non-privileged user to start GridGain.

Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com

CVE-2021-28164

Severity: Medium

Vendor:
GridGain Systems

Versions Affected:

• GridGain Community Edition 8.7.34 and earlier, 8.8.3 and earlier
• GridGain Enterprise Edition 8.7.34 and earlier, 8.8.3 and earlier
• GridGain Ultimate Edition 8.7.34 and earlier, 8.8.3 and earlier

Impact:
An attacker can reveal sensitive information regarding the implementation of a web application.

Description:

GridGain uses Eclipse Jetty in order to serve REST requests. In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Mitigation:
Users of affected versions should upgrade to newer versions:

• GridGain Community Edition 8.7.35 or later, 8.8.4 or later
• GridGain Enterprise Edition 8.7.35 or later, 8.8.4 or later
• GridGain Ultimate Edition 8.7.35 or later, 8.8.4 or later

In case REST is not used at all the issue could be mitigated by removing ignite-rest-http.jar from GridGain classpath.

CVE-2021-44228

Severity: Critical

Vendor:

Apache Software Foundation

Versions Affected:

GridGain Community Edition 8.7.40 and earlier, 8.8.11 and earlier

GridGain Enterprise Edition 8.7.40 and earlier, 8.8.11 and earlier

GridGain Ultimate Edition 8.7.40 and earlier, 8.8.11 and earlier

Impact:

Allows a remote attacker to execute arbitrary code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.

Description:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true" or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

Mitigation:

GridGain users who utilize log4j2 logging must upgrade log4j2 dependency, or apply workaround available below and apply the next release which will include the updated log4j2 dependency. The GridGain servers and clients must be restarted after applying the WA and/or patches.

In Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.

Users who cannot upgrade to 2.15.0 can mitigate the exposure by:

a) Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.

b) Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages. 

c) Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

CVE-2021-44228

Severity: Critical

Vendor:

Apache Software Foundation

Versions Affected:

GridGain Control Center 2021.08.01 and earlier.

Impact:

Allows a remote attacker to execute arbitrary code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.

Description:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true" or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

Mitigation:

Current GridGain Control Center users who utilize log4j2 logging must upgrade log4j2 dependency, or apply workaround available below and apply the next release of GridGain Control Center On-Premise which will include the updated log4j2 dependency. The GridGain Control Center must be restarted after applying the WA and/or patches.

In Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.

Users who cannot upgrade to 2.15.0 can mitigate the exposure by:

a) Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.

b) Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages. 

c) Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

CVE-2021-44228

Severity: Critical

Vendor:

Apache Software Foundation

Versions Affected:

GridGain Web Console 2021.04.00 and earlier.

Impact:

Allows a remote attacker to execute arbitrary code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.

Description:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to &#8220;true&#8221; or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

Mitigation:

Current Web Console users who utilize log4j2 logging must upgrade log4j2 dependency, or apply one of the workarounds available below. The GridGain Web Console must be restarted after applying the WA and/or patches.

In Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.

Users who cannot upgrade to 2.15.0 can mitigate the exposure by:

a) Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.

b) Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages. 

c) Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

CVE-2021-45046

Severity: Medium

Vendor:

Apache Software Foundation

Versions Affected:

GridGain Community Edition 8.7.40 and earlier, 8.8.11 and earlier

GridGain Enterprise Edition 8.7.40 and earlier, 8.8.11 and earlier

GridGain Ultimate Edition 8.7.40 and earlier, 8.8.11 and earlier

Impact:

Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Description:

It was found that the fix addressing CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete for certain non-default configurations. This could allow attackers with the control over Thread Context Map (MDC) input data, and when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using an JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration changes such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Mitigation:

Current mitigation options are limited to removing JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class or upgrading Log4J2 dependency to 2.16.0. The cluster must be restarted after implementing the chosen option.

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

The following script could be used to clean vulnerable jars:

cd $IGNITE_HOME

# Print candidates for patching

for f in $(find . -name '*log4j*.jar'); do unzip -l $f | grep -q JndiLookup && echo $f; done 

# Apply fix

for f in $(find . -name '*log4j*.jar'); do unzip -l $f | grep -q JndiLookup && echo $f && zip -q -d $f org/apache/logging/log4j/core/lookup/JndiLookup.class; done

# Restart your cluster

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

CVE-2021-45046

Severity: Medium

Vendor:

Apache Software Foundation

Versions Affected:

GridGain Control Center 2021.08.01 and earlier.

Impact:

Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Description:

It was found that the fix addressing CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete for certain non-default configurations. This could allow attackers with the control over Thread Context Map (MDC) input data, and when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using an JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration changes such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Mitigation:

Current mitigation options are limited to removing JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class or upgrading Log4J2 dependency to 2.16.0. The GridGain Control Center must be restarted after implementing the chosen option.

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

The following script could be used to clean vulnerable jars:

# Go to GGCC installation directory

cd $CC_INSTALL_DIR 

# Print candidates for patching

for f in $(find . -name '*log4j*.jar'); do unzip -l $f | grep -q JndiLookup && echo $f; done 

# Apply fix

for f in $(find . -name '*log4j*.jar'); do unzip -l $f | grep -q JndiLookup && echo $f && zip -q -d $f org/apache/logging/log4j/core/lookup/JndiLookup.class; done

# Restart your Control Center installation

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046