Security Advisory WSO2-2021-1699

Published: December 21, 2021

Version: 1.0.0

Severity: Critical

CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Note

Note that WSO2 is aware, and has analyzed the CVE-2021-45105, and the associated update of Log4j (2.17.0). We are working on the Log4j v2.17.0 upgrade. Once the security advisory is prepared, it will be published as a new advisory.

AFFECTED PRODUCTS

  • WSO2 API Manager : 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
  • WSO2 API Manager Analytics : 2.6.0, 3.0.0, 3.1.0, 3.2.0
  • WSO2 Identity Server : 5.9.0, 5.10.0, 5.11.0
  • WSO2 Identity Server Analytics : 5.7.0, 5.8.0
  • WSO2 Identity Server as Key Manager : 5.9.0, 5.10.0
  • WSO2 Enterprise Integrator : 6.1.0, 6.1.1, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0
  • WSO2 Enterprise Integrator Analytics : 7.1.0
  • WSO2 Micro Integrator : 1.1.0, 1.2.0, 4.0.0
  • WSO2 Micro Integrator Dashboard : 4.0.0, 4.0.1
  • WSO2 Micro Integrator Monitoring Dashboard : 1.1.0, 1.1.1, 1.2.0
  • WSO2 Stream Integrator : 1.1.0, 4.0.0
  • WSO2 Stream Integrator Tooling : 1.0.0, 1.1.0, 4.0.0
  • WSO2 Stream Processor : 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0

OVERVIEW

Log4j remote code execution zero-day vulnerability (CVE-2021-44228).

DESCRIPTION

Security advisory contents from Apache Log4j2 is as follows 12:

Description from CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against an attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Note

Note that WSO2 started issuing "Special Security Announcements" through WSO2 support portal from 11/12/2021 with the title starting with 3, providing immediate risk mitigation steps based on Apache Log4j security documentation 1 and consequent updates on the progress related to the CVE-2021-44228. In addition, WSO2 issued a public Incident Clarification for open source users [4] on 13/12/2021.

This update cumulatively mitigates known vulnerabilities of Log4j 2 prior to 2.16.0 relevant to the following dependencies:

  • log4j-core upgraded to v2.16.0
  • log4j-api upgraded to v2.16.0
  • log4j-jcl upgraded to v2.16.0

In addition, this update removes the vulnerable "JndiLookup'' class from the following dependencies as recommended in Apache Log4j security documentation 1 . These dependencies will be further upgraded in a follow-up update.

  • pax-logging-log4j2
  • org.ops4j.pax.logging.pax-logging-log4j2
  • org.wso2.ei.analytics.elk
  • siddhi-store-elasticsearch

Note that WSO2 is aware, and has analyzed the CVE-2021-45105, and the associated update of Log4j (2.17.0). The default product configurations of WSO2 products are not vulnerable to CVE-2021-45105. However, WSO2 strongly recommends executing the below command from the WSO2 product-home, and confirming that the customized configurations you use are not vulnerable.

Linux environments:

grep -R '${ctx:' . | grep 'log4j'

Windows environments (using Powershell):

Get-ChildItem -recurse | Select-String -ErrorAction SilentlyContinue -pattern '\${ctx:' | group path | select name | Select-String 'log4j'

If no results were returned by the above command, your deployment is not affected. However, if any matches were identified, remove references to Context Lookups as also recommended in the Log4j security page 5, from the identified configuration file. We will further update you regarding the upgrade plan relevant to Log4j 2.17.0 in the upcoming security advisories.

IMPACT

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by providing a crafted payload.

SOLUTION

WSO2 has published the Incident Clarifications Report 4 regarding log4j vulnerabilities which also contains the temprory sollution that helps to avoid the deployments being compromised. Anyway, WSO2 is activily working on the permanant solution. Until WSO2 released public PR , it is highly recommanded to apply the temprory solution 4.

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.

REFERENCES

  1. https://logging.apache.org/log4j/2.x/security.html 

  2. https://nvd.nist.gov/vuln/detail/CVE-2021-44228 

  3. [Special Security Announcement] Log4j2 zero-day vulnerability (CVE-2021-44228) 

  4. Log4j2 zero-day vulnerability (CVE-2021-44228 / CVE-2021-45046 / CVE-2021-45105 ) 

  5. https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.17.0_.28Java_8.29