How can we help you today?

Discussions GridGain Systems Forums Announcements

Security Updates Announcements

The topic is used for security updates announcements and vulnerabilities disclosure.

1 person likes this
15 CommentsSorted by Oldest First

CVE-2021-45046


Severity: Medium


Vendor:


Apache Software Foundation


Versions Affected:


GridGain Web Console 2021.04.00 and earlier.


Impact:


Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack


Description:


It was found that the fix addressing CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete for certain non-default configurations. This could allow attackers with the control over Thread Context Map (MDC) input data, and when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using an JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration changes such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).


Mitigation:


Current mitigation options are limited only to removing JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. The GridGain Web Console must be restarted after implementing the chosen option.


Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.


The following script could be used to clean vulnerable jars:


# Go to GG Web Console installation directory

cd $WC_INSTALL_DIR 


# Print candidates for patching

for f in $(find . -name '*log4j*.jar'); do unzip -l $f | grep -q JndiLookup && echo $f; done 


# Apply fix

for f in $(find . -name '*log4j*.jar'); do unzip -l $f | grep -q JndiLookup && echo $f && zip -q -d $f org/apache/logging/log4j/core/lookup/JndiLookup.class; done


# Restart your Web Console installation



Reference:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046


Comments to this discussion are now closed!
More topics in Announcements