Is netxms affected by CVE-2021-44228?

Started by normalcy, December 10, 2021, 11:45:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

normalcy

December 10, 2021, 11:45:05 PM Last Edit: December 10, 2021, 11:48:57 PM by normalcy
Hi, is netxms affected by log4j CVE-2021-44228?

Running a search on a debian VM with netxms installed shows:
Code Select

# find / -name *log4j*
/var/lib/dpkg/info/liblog4j1.2-java.md5sums
/var/lib/dpkg/info/liblog4j1.2-java.list
/usr/share/java/slf4j-log4j12-1.7.22.jar
/usr/share/java/log4j-1.2-1.2.17.jar
/usr/share/java/log4j-over-slf4j.jar
/usr/share/java/ant-apache-log4j-1.9.9.jar
/usr/share/java/slf4j-log4j12.jar
/usr/share/java/log4j-1.2.jar
/usr/share/java/log4j-over-slf4j-1.7.22.jar
/usr/share/java/ant-apache-log4j.jar
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/debian/ant-apache-log4j-debian.pom
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/debian/ant-apache-log4j-debian.jar
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/1.9.9/ant-apache-log4j-1.9.9.jar
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/1.9.9/ant-apache-log4j-1.9.9.pom
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/1.7.22/log4j-over-slf4j-1.7.22.pom
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/1.7.22/log4j-over-slf4j-1.7.22.jar
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/debian/log4j-over-slf4j-debian.jar
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/debian/log4j-over-slf4j-debian.pom
/usr/share/maven-repo/org/slf4j/slf4j-log4j12
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/1.7.22/slf4j-log4j12-1.7.22.jar
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/1.7.22/slf4j-log4j12-1.7.22.pom
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/debian/slf4j-log4j12-debian.jar
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/debian/slf4j-log4j12-debian.pom
/usr/share/maven-repo/log4j
/usr/share/maven-repo/log4j/log4j
/usr/share/maven-repo/log4j/log4j/1.2.17/log4j-1.2.17.jar
/usr/share/maven-repo/log4j/log4j/1.2.17/log4j-1.2.17.pom
/usr/share/maven-repo/log4j/log4j/1.2.x/log4j-1.2.x.jar
/usr/share/maven-repo/log4j/log4j/1.2.x/log4j-1.2.x.pom
/usr/share/doc/liblog4j1.2-java
/usr/share/ant/lib/ant-apache-log4j.jar
/usr/share/jetty9/resources/log4j.properties


I've read online that some say log4j ver. 1.x is not vulnerable to the JNDI issue, but can't confirm that myself.  Is netxms affected do you think?  Or are these jars brought in with openjdk/jetty only and not used?

normalcy

#1
December 11, 2021, 12:42:05 AM
This github repo has hashes of vulnerable versions of the library and the link to the apache repo suggest ver 1.x might also be vulnerable too. 

I'm guessing installing jetty for the web console is what brings in log4j dependencies?

Alex Kirhenshtein

#2
December 11, 2021, 02:09:13 AM
Hello.

NetXMS does not use log4j (neither jetty9).

Test, which shows that on the clean system there are no log4j jars:
Code Select

❯ docker run --rm -it debian:11 bash
root@f7dddcf8abfe:/# apt-get update
...
root@f7dddcf8abfe:/# apt-get install -y curl
...
root@f7dddcf8abfe:/# curl https://packages.netxms.org/install | sh
...
root@f7dddcf8abfe:/# apt-get install -fy
...
root@f7dddcf8abfe:/# apt-get update
...
root@f7dddcf8abfe:/# apt-get install -y netxms-\* jetty9
...
root@f7dddcf8abfe:/# find / -name \*log4j\*
/usr/share/jetty9/modules/logging-log4j.mod
/usr/share/jetty9/modules/logging-log4j2.mod
/usr/share/jetty9/modules/log4j2-impl.mod
/usr/share/jetty9/modules/log4j-impl
/usr/share/jetty9/modules/log4j-impl/resources/log4j.xml
/usr/share/jetty9/modules/slf4j-log4j2.mod
/usr/share/jetty9/modules/log4j2-api.mod
/usr/share/jetty9/modules/log4j2-slf4j.mod
/usr/share/jetty9/modules/log4j2-impl
/usr/share/jetty9/modules/log4j2-impl/resources/log4j2.xml
/usr/share/jetty9/modules/log4j-impl.mod
/usr/share/jetty9/modules/slf4j-log4j.mod
root@f7dddcf8abfe:/#

normalcy

#3
December 11, 2021, 04:44:32 AM Last Edit: December 11, 2021, 04:47:14 AM by normalcy
Thanks Alex, I'm assuming I've got jetty on that VM from testing out the nxmc web console in the past.  Seems the 1.x series on my VM is not vulnerable to this CVE in any case.

lweidig

#4
December 15, 2021, 03:42:23 PM
A recent scan of our NetXMS VM shows the following:

Code Select
[WARNING] /usr/lib/x86_64-linux-gnu/netxms/java/jython-standalone-2.7.2.jar contains log4j files

Curious where this is all used and what the solution might be if this is an issue.  We are running the latest version of NetXMS and also do run the web console.  Thanks!

Alex Kirhenshtein

#5
December 15, 2021, 05:27:59 PM Last Edit: December 15, 2021, 05:37:08 PM by Alex Kirhenshtein
Jython is used by nxshell.

However, the only mentions of log4j I've found in the jython is adapters to different logging frameworks (in org.python.netty.util.internal.logging), not the log4j runtime itself.

Quote from: lweidig on December 15, 2021, 03:42:23 PM
A recent scan of our NetXMS VM shows the following:

Code Select
[WARNING] /usr/lib/x86_64-linux-gnu/netxms/java/jython-standalone-2.7.2.jar contains log4j files

Curious where this is all used and what the solution might be if this is an issue.  We are running the latest version of NetXMS and also do run the web console.  Thanks!

You can verify yourself, that there are no JndiLookup (which is affected piece of log4j2):

Code Select

~
❯ unzip -t ~/.m2/repository/org/python/jython-standalone/2.7.2/jython-standalone-2.7.2.jar | grep JndiLookup
~
❯ echo $status
1
~

lweidig

#6
December 15, 2021, 05:48:29 PM
Excellent!  I suspected that was the case as well and appreciate you confirming this.
Print
Go Up Pages1
User actions