Schlagwörter: Log4J
-
AutorBeiträge
-
-
15. Dezember 2021 um 18:27 Uhr - Views: 2516 #12365
We have summarised our findings regarding OTOBO and the Log4J Zero Day Vulnerability in an article on
https://otobo.io/de/otobo-und-cve-2021-44228/ -> German
https://otobo.io/en/otobo-and-cve-2021-44228/ -> English
-
20. Dezember 2021 um 16:35 Uhr #12380
Hello alltogether,
using a detection tool on github (https://github.com/logpresso/CVE-2021-44228-Scanner)
(there are many others, please see https://www.heise.de/forum/heise-online/Kommentare/Erpressergruppe-Conti-nutzt-Sicherheitsluecke-Log4Shell-fuer-ihre-Ransomware/Re-wie-pruefen/posting-40175798/show/)
I get the following results on a openSUSE OTOBO docker instllation (before doing the http://yourIPorFQDN/otobo/installer.pl installation):
**************************************************************************************************
sudo ./log4j2-scan /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.7 (2021-12-20)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/1026, /var/lib/docker/containers/d9de95f99ac2a883d8becb4f58041707545946f2234201a220281eab11b1db65/mounts/shm, /var/lib/docker/containers/d9de95f99ac2a883d8becb4f58041707545946f2234201a220281eab11b1db65/mounts/secrets, /var/lib/docker/containers/d1eb0f981778f633cfee1ae975f947ac78df71b158068f4dab58da54d7508ec1/mounts/shm, /var/lib/docker/containers/d1eb0f981778f633cfee1ae975f947ac78df71b158068f4dab58da54d7508ec1/mounts/secrets, /var/lib/docker/containers/3d7a9ba83f30176e0416d4268824b6f1ecda3a0be23dce020d63b4a60730a701/mounts/shm, /var/lib/docker/containers/3d7a9ba83f30176e0416d4268824b6f1ecda3a0be23dce020d63b4a60730a701/mounts/secrets, /var/lib/docker/containers/9dd2420bee0c29ffc2022f1fa57140a6a4a81b62824a361a17d105099bbda44b/mounts/shm, /var/lib/docker/containers/9dd2420bee0c29ffc2022f1fa57140a6a4a81b62824a361a17d105099bbda44b/mounts/secrets, /var/lib/docker/containers/a6716382af446e7395bc5d623e6638df4bada84e591111d12f03fa8167a1f35f/mounts/shm, /var/lib/docker/containers/a6716382af446e7395bc5d623e6638df4bada84e591111d12f03fa8167a1f35f/mounts/secrets)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/5b15f51093f1016bce3374b0dae0d92077b477f5eed7fed0905bd8c93fb44372/merged/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.1.jar, log4j 2.11.1
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/5b15f51093f1016bce3374b0dae0d92077b477f5eed7fed0905bd8c93fb44372/merged/usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.1.jar, log4j 2.11.1 (mitigated)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a28a59356b3ebcc6425ea068d1719fe09f6960efaddad056f380addb9449ecc1/diff/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.1.jar, log4j 2.11.1
Running scan (10s): scanned 22295 directories, 158438 files, last visit: /var/lib/docker/overlay2/a28a59356b3ebcc6425ea068d1719fe09f6960efaddad056f380addb9449ecc1/diff/usr/share/elasticsearch/bin
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a28a59356b3ebcc6425ea068d1719fe09f6960efaddad056f380addb9449ecc1/diff/usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.1.jar, log4j 2.11.1 (mitigated)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /home/cki/D_IWS022/bin/arduino/lib/log4j-core-2.12.0.jar, log4j 2.12.0Scanned 870361 directories and 11975419 files
Found 3 vulnerable files
Found 0 potentially vulnerable files
Found 2 mitigated files
Completed in 307.25 seconds**************************************************************************************************
So the log4j files are classified as vulnerable and mitigated. Seems there is no direct dangerous attack exspectable. But who knows!
In my oppinion the just published Log4j 2.17.0 from Apache should be implemented asap.
Thanks to all devs for their efforts,
Regards,
Christof
-
20. Dezember 2021 um 17:09 Uhr #12382
Hi Christof,
as discussed in the linked articles for OTOBO only Elasticsearch uses log4j (as you also can see in the output of your scan). For various reasons (the Java Security Manager and our before used version of Elasticsearch and JDK – please read this detailed article of the Elastic team: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476) our setup allegedly was never vulnerable to any of the attacks, but with the 10.0.14 release of last week we implemented Elastics general security patch from last week (7.16.1), which still uses the old log4j libraries but explicitely prevents the functionalities on which the attacks are based. We plan to release a new version based on 7.16.2 of Elasticsearch which came out yesterday and implements log4j 2.17.0 within this week. If you feel in doubt you can easily stop the Elasticsearch container before installation, or after it, as also explained in the articles cited by Grit, until our second patch comes out.
Best regards, Sven
-
-
AutorBeiträge
- Du musst angemeldet sein, um auf dieses Thema antworten zu können.