CVE-2021-41041

WSO2 impacted: No

Evidence of compromise: No

Customers actions required: No

Reported Incident

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-442282. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.

Impact on WSO2 Products and Deployments

Exploitation of CVE-2021-41041 requires the ability to modify Log4j configuration files (log4j.xml/ log4j.properties) and restart the WSO2 product. This requires access to the file system of the server with write permissions to relevant product configuration files. Therefore, it’s unlikely that an external attacker could perform CVE-2021-41041 exploitation. 

In order to check if JMSAppender is used in any configuration files, run the following command from the product-home (without quotes): 

grep -R 'org\.apache\.log4j\.net\.JMSAppender'

If you prefer to remove JMSAppender from all Log4j version 1 dependencies found within WSO2 products, you may use the following mitigation steps:

  1. Ensure that you have zip and unzip commands installed on the server hosting the product.
  2. You can follow any of the following options
    1. Option 1: Navigate to the product-home folder and run the following command: 
      curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh | bash
    2. Option 2:
      1. Download the script from https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh
      2. Copy the script into the product-home
      3. Run the script from product-home, using the following command: 
        bash JMSAppender-remover.sh
  3. After executing the above script, restart the product.

The mitigation script will remove org/apache/log4j/net/JMSAppender.class from all Log4j version 1 dependencies found within the folder (and associated sub-folders) once this script is executed. After applying the fix, please ignore the ClassNotFoundException exception for the JMSAppender class which could occur during the product startup.

If you are using Docker images in your deployment, it's advised to create a new Docker image, running the provided script as an additional build step of the image.

Example Docker images for Ubuntu based distributions: 

FROM wso2/wso2is:5.10.0
 
USER root
 
RUN \
    apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        zip \
    && rm -rf /var/lib/apt/lists/*
 
USER wso2carbon
 
RUN curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh | bash

We will update this announcement if further actions are required.

References

  1. https://nvd.nist.gov/vuln/detail/cve-2021-4104 

  2. https://nvd.nist.gov/vuln/detail/CVE-2021-44228