Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
Wanting to Mitigate above CVE
2. Describe your environment:
Ubuntu 18.04 server / Graylog 3-12-1 / ES 6.8.12 / Mongo 4.012
- Service logs, configurations, and environment variables:
Mitigation for RCE via -Dlog4j2.formatMsgNoLookups=true in both GL and ES java configuration
ES Mitigations is to upgrade Elasticsearch-oss to 6.8.22, this leaves Graylog.
4. How can the community help?
From Log4j – Apache Log4j Security Vulnerabilities it states
When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}) attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.
OK so this to me suggests that an attacker could potentially terminate the Graylog logging process but only in a non default logging configuration.
From /etc/graylog/server/log4j.xml it looks like this is not vulnerable.
cat log4j2.xml | more
<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
<Appenders>
<RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
<PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
<Policies>
<SizeBasedTriggeringPolicy size="50MB"/>
</Policies>
<DefaultRolloverStrategy max="10" fileIndex="min"/>
</RollingFile>
<!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
<Memory name="graylog-internal-logs" bufferSize="500"/>
</Appenders>
<Loggers>
<!-- Application Loggers -->
<Logger name="org.graylog2" level="info"/>
<Logger name="com.github.joschi.jadconfig" level="warn"/>
<!-- This emits a harmless warning for ActiveDirectory every time which we can't work around :( -->
<Logger name="org.apache.directory.api.ldap.model.message.BindRequestImpl" level="error"/>
<!-- Prevent DEBUG message about Lucene Expressions not found. -->
<Logger name="org.elasticsearch.script" level="warn"/>
<!-- Disable messages from the version check -->
<Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
<!-- Silence chatty natty -->
<Logger name="com.joestelmach.natty.Parser" level="warn"/>
<!-- Silence Kafka log chatter -->
<Logger name="kafka.log.Log" level="warn"/>
<Logger name="kafka.log.OffsetIndex" level="warn"/>
<!-- Silence useless session validation messages -->
<Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
<Root level="warn">
<AppenderRef ref="rolling-file"/>
<AppenderRef ref="graylog-internal-logs"/>
</Root>
</Loggers>
</Configuration>
If the above is the case, then is Graylog impacted at all by this CVE becuse it is not using a non default configuration? Alternatively, is it possible to simply remove the affected class with below
zip -d graylog2-server-3.12-1-shaded.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Any help appreciated
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]