[Isis-users] ABCD Empweb and the Log4J vulnerability
Egbert De Smet
egbert.desmet at uantwerpen.be
Tue Dec 14 22:31:24 CET 2021
Information for the users of EmpWeb in ABCD
In the overview on the actual status of the ABCD software development sent out a few days ago, it was mentioned that the EmpWeb 'advanced loans' module is not really affected by the flaw with esteemed-as-very-high security risks in the 'log4J' tool for logging. The context in that overview did not allow for a more elaborate analysis but we think it is still necessary to clarify.
It was too simple to state that ABCD Emweb does not use Log4J, certainly based on a quick check showing no 'log4J' file being present in the EmpWeb sources. The risk is in taking in templated 'messages' entered and sent by users which could actually trigger a download of executable code, but EmpWeb does not prompt for such input from users, it only takes IDs of users and loanobjects to act on. Versions 2.0 up to 2.2.14 are affected by this vulnarability but EmpWeb uses an older version (dated 2005).
In reality there are 2 instances where there still can be, in theory, a risk with the following parts :
- the avalon framework, which is a (very limited) 'wrapper' for the logging function, which is now moved by Apache Software Foundation to the LogKit component of Apache Excalibur; the file is avalon-framework-4.2.0.jar in common/ext;
- the mysql-connector 'mysql-connector-java-3.1.12-bin.jar' in the same common/ext directory, which uses the actual Log4J tool (/com/mysql/jdbc/log/Log4JLogger.class).
So it seems to be important to have this 'external' library, used in EmpWeb, patched by keeping it updated, which is actually a requirement anyway, i.e. to update this external component regularly from the dedicated sources. A search even today on actions taken for this mysql-connector remains unanswered, so it is important to watch that space for solutions offered from the msql-connector-for-java front (or, for that matter, MariaDB-connector).
Work-arounds reported are - pending real patches from Apache - the following :
* Start the Java Virtual Machine with log4j2.formatMsgNoLookups set to true; this could be added to the variable JAVA_OPTIONS in the java-launching command in empweb.sh, e.g. -Dlog4j2.formatMsgNoLookups=true
* [Remove the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)]; EmpWeb does not contain such file log4j-core-*.jar and we could not find any reference to JndiLookup.class.
We are far from expert on this subject, which as one can easily see is quite technical, so any additional input from others is most welcome. Please ask around if you have colleagues more familiar with security patches and more specifically logging in the MySQL-connector for Java.
With the information provided here we hope to facilitate further analysis and recommendations for EmpWeb-users.
Egbert de Smet
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the isis-users