CVE-2021-45046 / Log4J Mitigation

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

Wanting to Mitigate above CVE

2. Describe your environment:
Ubuntu 18.04 server / Graylog 3-12-1 / ES 6.8.12 / Mongo 4.012

  • Service logs, configurations, and environment variables:
    Mitigation for RCE via -Dlog4j2.formatMsgNoLookups=true in both GL and ES java configuration

ES Mitigations is to upgrade Elasticsearch-oss to 6.8.22, this leaves Graylog.

4. How can the community help?

From Log4j – Apache Log4j Security Vulnerabilities it states

When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}) attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.

OK so this to me suggests that an attacker could potentially terminate the Graylog logging process but only in a non default logging configuration.

From /etc/graylog/server/log4j.xml it looks like this is not vulnerable.

 cat log4j2.xml | more
<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
        <RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
                <SizeBasedTriggeringPolicy size="50MB"/>
            <DefaultRolloverStrategy max="10" fileIndex="min"/>

        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
        <Memory name="graylog-internal-logs" bufferSize="500"/>
        <!-- Application Loggers -->
        <Logger name="org.graylog2" level="info"/>
        <Logger name="com.github.joschi.jadconfig" level="warn"/>
        <!-- This emits a harmless warning for ActiveDirectory every time which we can't work around :( -->
        <Logger name="" level="error"/>
        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
        <Logger name="org.elasticsearch.script" level="warn"/>
        <!-- Disable messages from the version check -->
        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
        <!-- Silence chatty natty -->
        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
        <!-- Silence Kafka log chatter -->
        <Logger name="kafka.log.Log" level="warn"/>
        <Logger name="kafka.log.OffsetIndex" level="warn"/>
        <!-- Silence useless session validation messages -->
        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
        <Root level="warn">
            <AppenderRef ref="rolling-file"/>
            <AppenderRef ref="graylog-internal-logs"/>

If the above is the case, then is Graylog impacted at all by this CVE becuse it is not using a non default configuration? Alternatively, is it possible to simply remove the affected class with below

 zip -d graylog2-server-3.12-1-shaded.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Any help appreciated

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Check out this post.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.