[Update] Alert: Vulnerability Found in Web Interface

December 13, 2021

**21 December 2021 Update: Web Interface for AH Formatter and OSDC has been updated with the latest version for Log4j 2.17.0.  Customers will receive an email with the new release downloads.**

This is an alert for Antenna House Web Interface customers. There has been a vulnerability discovered in the Log4j 2 library that has the potential to allow for remote code execution on the server system. The current (6.0mr6) and older versions of Web Interface use a vulnerable version of the Log4j 2 library.

The details of the vulnerability can be found here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 

We are planning to release a new version of the Web Interface later this week that addresses the issue, so please watch for a release announcement email.

Until a new version is released, the following mitigation workarounds recommended by Apache will prevent exploitation of the vulnerability.

Thank you for your understanding, please contact us if you have any questions.

 


 

Mitigation Workarounds:

-------------

1) %m{nolookups}

For both server/log4j2.xml and folder-monitor/log4j2.xml

Change:

<Properties>
<Property name="format" value="%d [%t] %-5p %c{1} - %m%n"/>

To:

<Properties>
<Property name="format" value="%d [%t] %-5p %c{1} - %m{nolookups}%n"/>

Also change %m tokens to %m{nolookups} in any custom log4j configuration files used.

Restart the server.

2) remove JndiLookup class

For both server/lib/log4j-core-2.8.2.jar and folder-monitor/lib/log4j-core-2.8.2.jar run:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

The result should have this hash:

md5sum log4j-core-2.8.2.jar
4602d1a718272a50c5f72966eae89c09 log4j-core-2.8.2.jar

The modified file can also be downloaded here:

https://support.antennahouse.com:8080/pub/log4j-no-jndi/log4j-core-2.8.2.jar

Restart the server.

----

See the following link for more information:
https://logging.apache.org/log4j/2.x/ 

--------
For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
--------