Jboss AMQ 7 and Log4J vulnerability CVE-2021-44228

Jboss AMQ has a log4j jar available in the below path when you search

$AMQ7_BROKER_HOME/bin/$BROKER_INSTANCE/tmp/webapps/jetty-localhost-8161-hawtio_war-_console-any-1234567890123456789/webapp/WEB-INF/lib/log4j-1.2.17.jar

AMQ 7.x brokers have not been affected by the CVE-2021-442281 vulnerability. AMQ 7 core broker components do not use Log4J. However, the integrated Hawtio console uses Log4j version 1.x (1.2.17) which has not been affected by the said vulnerability:

Name: org.apache.log4j
Implementation-Vendor: "Apache Software Foundation"
Implementation-Title: log4j
Implementation-Version: 1.2.17
Build-Jdk: 1.6.0_23
Bundle-Version: 1.2.17
Bundle-Description: Apache Log4j 1.2
Bundle-DocURL: http://logging.apache.org/log4j/1.2

The Log4J version 1.x releases have been affected by the CVE-2021-41042 vulnerability. However, this would not have any impact should you refrain from using JMSAppender in Log4J 1.x releases.

This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:

  • A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
  • A log statement in the endpoint that logs the attacker controlled data.

Mitigation

For Log4j versions >=2.10
set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true

For Log4j versions >=2.7 and <=2.14.1
all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m

For Log4j versions >=2.0-beta9 and <=2.10.0
remove the JndiLookup class from the classpath. For example: 

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *