Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread Juri Berlanda 

Hi all,

thanks a lot to all for the quick replies. Not what I hoped to hear, but 
hey - every new detail I learn about this issue turns out to be the 
opposite of what I hope to hear.


Cheers,

Juri

On 12/13/21 4:17 PM, David Weisgerber wrote:

Hi,
our software was also affected but luckily not our Tomcat distribution.
I repeat, no JRE has a sufficient mitigation! You need to update log4j2 or set 
the environment variables. The problem is that through log4j2 you can misuse 
other library functions where the JRE mitigations would not protect you. I must 
repeat, there was a website stating that the presence of tomcat alone would 
open up another attack vector through log4j2.

Best regards,
David

-Original Message-
From: Juri Berlanda 
Sent: Monday, 13 December 2021 16:03
To: users@tomcat.apache.org
Subject: Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time 
Java version

Hi,

we were affected - we use an AccessLogValve, which logs to Log4j2 and we use 
Log4j as java.util.logging LogManager. We already patched, but only on Saturday.

In any case: in a lot of places I saw "recent JRE versions have a mitigation in 
place", but I can't seem to find which JRE version introduced which mitigation. Can 
anybody here point me to where I can find that information? Googling for this only seems 
to bring up everybody's security advisories, but nobody seems to bother to state exact 
JRE versions.

Cheers,

Juri

On 12/13/21 2:13 PM, Christopher Schultz wrote:

Tim,

Adding to what others have posted...

On 12/13/21 03:57, Scott,Tim wrote:

Suspecting that someone here knows the answer immediately, I thought
I’d ask.

If you do not know the answer, please don’t spend any time
investigating: I’ll do that later today and update everyone whether
or not I find an answer.

Our security team advise that “Certain versions of the Java
Development Kit remove the LDAP attack vector”.

My question is: Does this removal occur during compile time or runtime?

Runtime. You can even re-enable the vulnerability if you want :)

It's worth repeating what David Weisgerber said in his reply: even if
the runtime JDK/JRE provides a mitigation of sorts, you may still be
vulnerable through other means (aka "JNDI gadgets").

There is also a risk of information leakage which does NOT rely on the
use of LDAP connections.

Your best course of action would be to upgrade log4j if possible, or
use one of the several other mitigations available for recent
versions. If you aren't running a recent version, RUN ONE.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread Scott,Tim 
> From: Juri Berlanda
> Sent: 13 December 2021 15:03
> Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs 
> compile time Java version

> Hi,

> we were affected - we use an AccessLogValve, which logs to Log4j2 and we 
> use Log4j as java.util.logging LogManager. We already patched, but only 
> on Saturday.

> In any case: in a lot of places I saw "recent JRE versions have a 
> mitigation in place", but I can't seem to find which JRE version 
> introduced which mitigation. Can anybody here point me to where I can 
> find that information? Googling for this only seems to bring up 
> everybody's security advisories, but nobody seems to bother to state 
> exact JRE versions.

Our security team stated:

"Certain versions of the Java Development Kit remove the LDAP attack vector, 
but others remain. Versions after these JDKs remove the LDAP vector:
6u211
7u201
8u191
11.0.1"

No doubt you can review the release notes for, e.g., 8u191/192 for further 
clues.

Notwithstanding Mark's notes earlier that updating your JRE may not resolve 
everything.

> Cheers,
> Juri

Thanks,
Tim

RE: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread David Weisgerber 
Hi,
our software was also affected but luckily not our Tomcat distribution.
I repeat, no JRE has a sufficient mitigation! You need to update log4j2 or set 
the environment variables. The problem is that through log4j2 you can misuse 
other library functions where the JRE mitigations would not protect you. I must 
repeat, there was a website stating that the presence of tomcat alone would 
open up another attack vector through log4j2.

Best regards,
David

-Original Message-
From: Juri Berlanda  
Sent: Monday, 13 December 2021 16:03
To: users@tomcat.apache.org
Subject: Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time 
Java version

Hi,

we were affected - we use an AccessLogValve, which logs to Log4j2 and we use 
Log4j as java.util.logging LogManager. We already patched, but only on Saturday.

In any case: in a lot of places I saw "recent JRE versions have a mitigation in 
place", but I can't seem to find which JRE version introduced which mitigation. 
Can anybody here point me to where I can find that information? Googling for 
this only seems to bring up everybody's security advisories, but nobody seems 
to bother to state exact JRE versions.

Cheers,

Juri

On 12/13/21 2:13 PM, Christopher Schultz wrote:
> Tim,
>
> Adding to what others have posted...
>
> On 12/13/21 03:57, Scott,Tim wrote:
>> Suspecting that someone here knows the answer immediately, I thought 
>> I’d ask.
>>
>> If you do not know the answer, please don’t spend any time
>> investigating: I’ll do that later today and update everyone whether 
>> or not I find an answer.
>>
>> Our security team advise that “Certain versions of the Java 
>> Development Kit remove the LDAP attack vector”.
>>
>> My question is: Does this removal occur during compile time or runtime?
>
> Runtime. You can even re-enable the vulnerability if you want :)
>
> It's worth repeating what David Weisgerber said in his reply: even if 
> the runtime JDK/JRE provides a mitigation of sorts, you may still be 
> vulnerable through other means (aka "JNDI gadgets").
>
> There is also a risk of information leakage which does NOT rely on the 
> use of LDAP connections.
>
> Your best course of action would be to upgrade log4j if possible, or 
> use one of the several other mitigations available for recent 
> versions. If you aren't running a recent version, RUN ONE.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread Sebastian Hennebrüder 
There have been multiple Patches for RMI and LDAP over time in Java. 

The first article states which attack (from the one the researcher analyzed) 
was possible in which version.

https://www.veracode.com/blog/research/exploiting-jndi-injections-java

https://github.com/mbechler/marshalsec/

If the system is not explicitly configured to allow remote class loading via 
RMI from everywhere, the only successful attack (= run code on the server), I 
found, is leveraging the BeanFactory of Tomcat. The latter is working with any 
recent Tomcat and Java.

I understand Mark’s point that this is  caused by use of log4j and not by 
Tomcat on the other hand it would be way harder to leverage the attack, if the 
BeanFactory could be modified.






> Am 13.12.2021 um 16:03 schrieb Juri Berlanda :
> 
> Hi,
> 
> we were affected - we use an AccessLogValve, which logs to Log4j2 and we use 
> Log4j as java.util.logging LogManager. We already patched, but only on 
> Saturday.
> 
> In any case: in a lot of places I saw "recent JRE versions have a mitigation 
> in place", but I can't seem to find which JRE version introduced which 
> mitigation. Can anybody here point me to where I can find that information? 
> Googling for this only seems to bring up everybody's security advisories, but 
> nobody seems to bother to state exact JRE versions.
> 
> Cheers,
> 
> Juri
> 
> On 12/13/21 2:13 PM, Christopher Schultz wrote:
>> Tim,
>> 
>> Adding to what others have posted...
>> 
>> On 12/13/21 03:57, Scott,Tim wrote:
>>> Suspecting that someone here knows the answer immediately, I thought I’d 
>>> ask.
>>> 
>>> If you do not know the answer, please don’t spend any time investigating: 
>>> I’ll do that later today and update everyone whether or not I find an 
>>> answer.
>>> 
>>> Our security team advise that “Certain versions of the Java Development Kit 
>>> remove the LDAP attack vector”.
>>> 
>>> My question is: Does this removal occur during compile time or runtime?
>> 
>> Runtime. You can even re-enable the vulnerability if you want :)
>> 
>> It's worth repeating what David Weisgerber said in his reply: even if the 
>> runtime JDK/JRE provides a mitigation of sorts, you may still be vulnerable 
>> through other means (aka "JNDI gadgets").
>> 
>> There is also a risk of information leakage which does NOT rely on the use 
>> of LDAP connections.
>> 
>> Your best course of action would be to upgrade log4j if possible, or use one 
>> of the several other mitigations available for recent versions. If you 
>> aren't running a recent version, RUN ONE.
>> 
>> -chris
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread Juri Berlanda 

Hi,

we were affected - we use an AccessLogValve, which logs to Log4j2 and we 
use Log4j as java.util.logging LogManager. We already patched, but only 
on Saturday.


In any case: in a lot of places I saw "recent JRE versions have a 
mitigation in place", but I can't seem to find which JRE version 
introduced which mitigation. Can anybody here point me to where I can 
find that information? Googling for this only seems to bring up 
everybody's security advisories, but nobody seems to bother to state 
exact JRE versions.


Cheers,

Juri

On 12/13/21 2:13 PM, Christopher Schultz wrote:

Tim,

Adding to what others have posted...

On 12/13/21 03:57, Scott,Tim wrote:
Suspecting that someone here knows the answer immediately, I thought 
I’d ask.


If you do not know the answer, please don’t spend any time 
investigating: I’ll do that later today and update everyone whether 
or not I find an answer.


Our security team advise that “Certain versions of the Java 
Development Kit remove the LDAP attack vector”.


My question is: Does this removal occur during compile time or runtime?


Runtime. You can even re-enable the vulnerability if you want :)

It's worth repeating what David Weisgerber said in his reply: even if 
the runtime JDK/JRE provides a mitigation of sorts, you may still be 
vulnerable through other means (aka "JNDI gadgets").


There is also a risk of information leakage which does NOT rely on the 
use of LDAP connections.


Your best course of action would be to upgrade log4j if possible, or 
use one of the several other mitigations available for recent 
versions. If you aren't running a recent version, RUN ONE.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread Scott,Tim 
HI Mark,

Thank you. That clarifies something I was not quite getting.

Surely setting a system property “log4j2.formatMsgNoLookups” does not require a 
particular JRE version?
And no, it doesn’t.

Yes – we’d need to upgrade log4j2 and/or add that parameter. Whilst the JRE 
version might deliver some protection, it’s not everything.

Thanks,
Tim

--
Tim Scott
OCLC · Senior Software Engineer / Technical Product Manager

cc: Product Management file

OCLC COVID-19 resources: 
oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>

From: Mark Thomas 
Sent: 13 December 2021 09:36
To: users@tomcat.apache.org
Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs 
compile time Java version

On 13/12/2021 09:21, David Weisgerber wrote:
> Hi,
> as far as I read through the details, it is a runtime option of the JRE. So, 
> it does not need any recompilation.
> However, some websites pointed out that if you are using Tomcat you could 
> bypass the JRE protection.

Correct, it is the runtime version of the JRE that matters.

It is also correct that using the latest JDK is *not* sufficient to
protect against this issue.

Depending on what classes are on the class path, it may be possible to
trigger an LDAP call to a malicious LDAP server that, with a specially
crafted response, can trigger code execution. Tomcat includes at least
one such collection of classes by default so you should *not* rely on
just updating the JRE.

You need to update log4j2 to a version that disables JNDI lookups by
default or ensure you are using a sufficiently recent version of log4j2
that has the option to disable JNDI lookups and ensure that you have
configured it so JNDI lookups are disabled.

It is pretty much a certainty that there will be other combinations of
libraries that this exploit can leverage so, whether you are running on
Tomcat or not, my recommendation would be to ensure that you address
this issue with the log4j2 update or configuration.

Mark


>
> Best regards,
> David
>
> From: Scott,Tim mailto:tim.sc...@oclc.org>>
> Sent: Monday, 13 December 2021 09:57
> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org>
> Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java 
> version
>
> Hi all,
>
> Suspecting that someone here knows the answer immediately, I thought I’d ask.
>
> If you do not know the answer, please don’t spend any time investigating: 
> I’ll do that later today and update everyone whether or not I find an answer.
>
> Our security team advise that “Certain versions of the Java Development Kit 
> remove the LDAP attack vector”.
>
> My question is: Does this removal occur during compile time or runtime?
>
> i.e.: Do we need to build the .war file with a JDK which removes the LDAP 
> attack vector, or is it sufficient to deploy the Tomcat with a JDK which does 
> this?
>
> Thank you,
> Tim
>
> --
>
> Tim Scott
>
> OCLC · Senior Software Engineer / Technical Product Manager
>
> CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK
>
>
> cc: Product Management file
>
>
> OCLC COVID-19 resources: 
> oc.lc/covid19-service-info<http://oc.lc/covid19-service-info><https://oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>>
> [COVID-19: We’re in this 
> together]<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support_medium=email_source=libraryservices_content=signature-banner-covid-19-information-resources<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support_medium=email_source=libraryservices_content=signature-banner-covid-19-information-resources>>
>


-
To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail: 
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread Christopher Schultz 

Tim,

Adding to what others have posted...

On 12/13/21 03:57, Scott,Tim wrote:
Suspecting that someone here knows the answer immediately, I thought I’d 
ask.


If you do not know the answer, please don’t spend any time 
investigating: I’ll do that later today and update everyone whether or 
not I find an answer.


Our security team advise that “Certain versions of the Java Development 
Kit remove the LDAP attack vector”.


My question is: Does this removal occur during compile time or runtime?


Runtime. You can even re-enable the vulnerability if you want :)

It's worth repeating what David Weisgerber said in his reply: even if 
the runtime JDK/JRE provides a mitigation of sorts, you may still be 
vulnerable through other means (aka "JNDI gadgets").


There is also a risk of information leakage which does NOT rely on the 
use of LDAP connections.


Your best course of action would be to upgrade log4j if possible, or use 
one of the several other mitigations available for recent versions. If 
you aren't running a recent version, RUN ONE.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread Mark Thomas 

On 13/12/2021 09:21, David Weisgerber wrote:

Hi,
as far as I read through the details, it is a runtime option of the JRE. So, it 
does not need any recompilation.
However, some websites pointed out that if you are using Tomcat you could 
bypass the JRE protection.


Correct, it is the runtime version of the JRE that matters.

It is also correct that using the latest JDK is *not* sufficient to 
protect against this issue.


Depending on what classes are on the class path, it may be possible to 
trigger an LDAP call to a malicious LDAP server that, with a specially 
crafted response, can trigger code execution. Tomcat includes at least 
one such collection of classes by default so you should *not* rely on 
just updating the JRE.


You need to update log4j2 to a version that disables JNDI lookups by 
default or ensure you are using a sufficiently recent version of log4j2 
that has the option to disable JNDI lookups and ensure that you have 
configured it so JNDI lookups are disabled.


It is pretty much a certainty that there will be other combinations of 
libraries that this exploit can leverage so, whether you are running on 
Tomcat or not, my recommendation would be to ensure that you address 
this issue with the log4j2 update or configuration.


Mark




Best regards,
David

From: Scott,Tim 
Sent: Monday, 13 December 2021 09:57
To: users@tomcat.apache.org
Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java 
version

Hi all,

Suspecting that someone here knows the answer immediately, I thought I’d ask.

If you do not know the answer, please don’t spend any time investigating: I’ll 
do that later today and update everyone whether or not I find an answer.

Our security team advise that “Certain versions of the Java Development Kit 
remove the LDAP attack vector”.

My question is: Does this removal occur during compile time or runtime?

i.e.: Do we need to build the .war file with a JDK which removes the LDAP 
attack vector, or is it sufficient to deploy the Tomcat with a JDK which does 
this?

Thank you,
Tim

--

Tim Scott

OCLC · Senior Software Engineer / Technical Product Manager

CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK


cc: Product Management file


OCLC COVID-19 resources: 
oc.lc/covid19-service-info
[COVID-19: We’re in this 
together]




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

2021-12-13 Thread David Weisgerber 
Hi,
as far as I read through the details, it is a runtime option of the JRE. So, it 
does not need any recompilation.
However, some websites pointed out that if you are using Tomcat you could 
bypass the JRE protection.

Best regards,
David

From: Scott,Tim 
Sent: Monday, 13 December 2021 09:57
To: users@tomcat.apache.org
Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java 
version

Hi all,

Suspecting that someone here knows the answer immediately, I thought I’d ask.

If you do not know the answer, please don’t spend any time investigating: I’ll 
do that later today and update everyone whether or not I find an answer.

Our security team advise that “Certain versions of the Java Development Kit 
remove the LDAP attack vector”.

My question is: Does this removal occur during compile time or runtime?

i.e.: Do we need to build the .war file with a JDK which removes the LDAP 
attack vector, or is it sufficient to deploy the Tomcat with a JDK which does 
this?

Thank you,
Tim

--

Tim Scott

OCLC · Senior Software Engineer / Technical Product Manager

CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK


cc: Product Management file


OCLC COVID-19 resources: 
oc.lc/covid19-service-info
[COVID-19: We’re in this 
together]