Log4Shell Security Impact Statement

Original publication date:  2021-Dec-14 15:00 EST

Last Update: 2022-Jan-3 10:21 EST  This page will be updated continuously as confirmations are received.

TRAX is monitoring developments on the Log4j (Log4Shell or LogJam) CVE 2021-44228 with a CVSS v3 score of 9.8 rated Critical Impact, and CVE-2021-45046 with a CVSS Score of 3.7 rated Low Impact and now CVE-2021-44832 states that there is another vulnerability in all log4j v2.X versions which requires strictly to upgrade all log4j files to v2.17.1 for Java 8 deployed apps.

This page is to inform TRAX Customers about the applications that have been distributed to Customers that are hosted on TRAXCloud, or self-hosted on-premise or with other 3rd parties.

 

Here are the answers to the most common questions we’ve received:

Question 1:   Do any Trax applications require or depend on the log4j-core?

Answer:  NO. Server admins can open the log4j jar file and remove the JNDI class with no effect on our apps. In fact none the apps load the log4j-core jar file except TraxDocServices used by several Customers. Regardless, Trax is working to replace the apps deploying log4j with immediate urgency.

 

Question 2:  Does Trax distribute this file in its applications? 

Answer:   YES! In our Java-based apps & interfaces as follows:

1.  TraxDocServices & EmployeeSchedule Apps, has been identified as containing log4j 2.11.1. The product teams are working on replacing this with log4j-core-2.17.1.jar BUT Customers:

         a. that are hosted on the TRAXCloud will be contacted by TRAX IT to schedule the server restarts required to apply the new war files.

         b. that host on-premise or with other 3rd parties, must submit a Weblog on https://icentral.trax.aero requesting the newly recompiled war file and the Support team will make it available for Customers to download. In the interim, Customers that are running TraxDocServices (and others affected on the list below) on-premise, are encouraged to immediately apply the applicable remedy/upgrade manually as instructed by the Apache security bulletins as it will not affect our applications. Links to the upgrade downloads are at the end of this document. 

2.  Interfaces:  All interface war files contain a version of the log4j files and therefore must be mitigated accordingly as instructed below.

3.  Refer to our documentation in the Technical & Interface Document Library in iCentral, the document How to Set Up Log4j Configuration.pdf explains how to configure log4j to aid in troubleshooting any interface errors when they occur. It has been revised to include a Critical alert to the existence of these CVEs and directs the reader to this statement/page.

4.  Other vendors’ technologies may require mitigation of log4j so it is best to inventory all application servers for the existence of this application in each server and mitigate accordingly. See Wildfly & Jasper Reports Server in the Impact List below.

 

Question 3:  Can the log4j2.jar file be removed altogether if Trax Apps do not depend or call on log4j?

Answer: NO

 

Question 4:  Which mitigation measures does Trax recommend at this time?

Answer: The following list is an outline of the options:

1.  The mitigation of this vulnerability has been changing weekly, just see the History section of the Apache Log4j Security page by visiting https://logging.apache.org/log4j/2.x/security.html and following their Mitigation steps. Follow them immediately where you find v2.x of the log4j file. Then set a reminder to revisit the page every few days to be certain that the mitigation steps you implemented remain effective.

2.  As of December 30th, 2021 13:00 EST, Apache recommends the measures as indicated in the Apache Lo4j Security Page see screenshots below.

3.  TRAXCloud team is immediately implementing the upgrades manually until such time the war files for each application and interface are recompiled with log4j 2.17.1 for those apps that have been deployed with Java v8. Trax recommends all Customers replace the log4j files MANUALLY as an interim solution until TRAX has recompiled the war files and made them available.

4.  Review the Status List below and when available, Submit a weblog to request the app(s) you want recompiled with log4j v2.17.1. This process will allow Trax to track the apps that have been delivered with the fix and identify Customers that are still vulnerable. It is critical for TRAX to rebuild the WAR/EAR files it distributes to customers to ensure it does not replace or restore a vulnerable version of Log4j back on to your application server(s).

5.  Apply the Java 11 upgrade, it is another way to mitigate the log4j vulnerability. All our JDK deployed applications are certified for JDK 11 deployment so this would be a two-for-one option where you’d mitigate the log4j vulnerability and you advance on the migration to Java JDK v11 that is due by March of 2022.

 

Q5:  Are there other CVEs to be concerned about for log4j?

Answer: Here are the three main CVEs…

CVE-2021-44832 CVSS v3 score of 6.6 rated Moderate Impact. This CVE overrides all prior CVEs as it discovered further vulnerabilities in Log4j after the patches released for prior CVEs and therefore only allows for upgrade of log4j as the sole mitigation method.

CVE-2021-4104 CVSS v3 score of 6.6 rated Moderate Impact.

CVE-2021-45056 CVSS v3 score of 3.7 rated Low Impact.

Screenshots from Apache’s Security Page

 

Screenshot from Apache lo4j Security page on December 30, 2021 15:30 EST: 


Screenshot from Apache lo4j Security page on December 15, 2021 13:00 EST: 


Additional CVE released….

For immediate mitigation, download the matching log4j file below and replace the file on all your servers by executing the following cmdline: find /opt/ -type f -name log4j\*jar to identify the vulnerable file/version and replacing it with the latest version from here: /log4j-core

According to Apache, the vulnerability exists only in the LOG4J-CORE jar file. However, if you want to be safe & consistent you should upgrade the other log4j jar files to the latest version for all servers running java apps in your infrastructure. Here are the links to download those files:

          log4j-api-2.XX /log4j-api

          log4j-jcl-2.XX  /log4j-jcl

          log4j-jul-2.XX  /log4j-jul

          log4j-slf4j-impl-2.XX  /log4j-slf4j-impl

          log4j-web-2.XX /log4j-web

          log4j-1.2-api-2.XX  /log4j-1.2-api

Sources of Information that we are monitoring & following: 

  1. Apache
  2. Oracle Document 2827611.1for Oracle Database, Java & other products regaarding the applicability of

Security Alert CVE-2021-44228 to Oracle on-premises products is being continually updated by Oracle as to the products that require or do not require patches.

  1. Redhat for JBoss EAP https://access.redhat.com/security/cve/cve-2021-44228
  2. AWS for RDS https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ 
  1. Microsoft for Windows-based deployments 
  2. OWASP.org for adding this CVE to the OWASP list and the to the F5 WAF Managed Rulesets.
  3. Wildfly does not deploy Log4j-core instead you’ll find a shaded version that is not the affected log4j-core in the path /opt/Wildfly-##.#.#.Final/modules/system/layers/base/org/jboss/log4j/logmanager/main. Trax recommends applying 2.17.1 to all application servers running Java 8.