CVE-2021-41041¶
WSO2 impacted: No
Evidence of compromise: No
Customers actions required: No
Reported Incident¶
JMSAppender
in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName
and TopicConnectionFactoryBindingName
configurations causing JMSAppender
to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-442282. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
Impact on WSO2 Products and Deployments¶
Exploitation of CVE-2021-41041 requires the ability to modify Log4j configuration files (log4j.xml/ log4j.properties) and restart the WSO2 product. This requires access to the file system of the server with write permissions to relevant product configuration files. Therefore, it’s unlikely that an external attacker could perform CVE-2021-41041 exploitation.
In order to check if JMSAppender
is used in any configuration files, run the following command from the product-home (without quotes):
grep -R 'org\.apache\.log4j\.net\.JMSAppender'
If you prefer to remove JMSAppender
from all Log4j version 1 dependencies found within WSO2 products, you may use the following mitigation steps:
- Ensure that you have
zip
andunzip
commands installed on the server hosting the product. - You can follow any of the following options
- Option 1: Navigate to the product-home folder and run the following command:
curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh | bash
- Option 2:
- Download the script from https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh
- Copy the script into the product-home
- Run the script from product-home, using the following command:
bash JMSAppender-remover.sh
- Option 1: Navigate to the product-home folder and run the following command:
- After executing the above script, restart the product.
The mitigation script will remove org/apache/log4j/net/JMSAppender.class from all Log4j version 1 dependencies found within the folder (and associated sub-folders) once this script is executed. After applying the fix, please ignore the ClassNotFoundException
exception for the JMSAppender
class which could occur during the product startup.
If you are using Docker images in your deployment, it's advised to create a new Docker image, running the provided script as an additional build step of the image.
Example Docker images for Ubuntu based distributions:
FROM wso2/wso2is:5.10.0
USER root
RUN \
apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
zip \
&& rm -rf /var/lib/apt/lists/*
USER wso2carbon
RUN curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh | bash
We will update this announcement if further actions are required.