Log4j 2 vulnerability (CVE-2021-44228)

14 Dec 2021

Dear customer,

You probably have heard about the vulnerability issue that researches have found in an Apache log4j library. Apache Log4j is an open source framework that is used to keep track of activity within an application. An application using log4j is vulnerable at the moment a malicious HTTP call from the outside world lands unchanged and is logged in this application using an older version of log4j. The vulnerability has been reported with CVE-2021-44228.

Log4j 2 vulnerability (CVE-2021-44228)

The NCSC is advising organizations to take steps to mitigate the Apache Log4j 2 vulnerability.

More details can be found here: Alert: Active scanning for Apache Log4j 2 vulnerability... - NCSC.GOV.UK

Human Inference is actively responding to this vulnerability.

Log4j is used on several locations:

  • In DataPlatform for logging the java DQ components (namei18n, addressi18n, MTI)
  • In Apache Tomcat (Used for deployment of DataPlatform SOAP connector, MTI, CAS, etc…)
  • In DataHub (where using Elasticsearch and CAS)

Log4j in DataPlatform

In DataPlatform we are using log4j as an internal logging mechanism. No HTTP traffic can reach the mechanism from outside through the protocol that is used within DataPlatform. Even though there is no vulnerability here we decided to update the libraries in an upcoming release anyway.

Log4j in Apache Tomcat

Apache Tomcat does not use log4j, while applications deployed in Apache Tomcat might use log4j within. Most customers will not expose their Tomcat server to the outside world, but in case this is done, log4j might be abused. The vulnerability abuses the so called “Message Lookups”.

Despite DataPlatform does not use this functionality anywhere we strongly advise to switch off the possibility anyway.

Several ways to mitigate the vulnerability are described on internet. We advise to do this by passing the following parameters at the startup of Apache Tomcat to true:

  • log4j.formatMsgNoLookups
  • log4j2.formatMsgNoLookups

This is how these parameters can be passed:

  • -Dlog4j.formatMsgNoLookups=true
  • -Dlog4j2.formatMsgNoLookups=true

Where and how to pass this parameter highly depends on your specific Tomcat installation.

Log4j in DataHub

The core of DataHub makes no use of the Log4j library and therefore is not vulnerable for the remote code execution.

For the instance of Apache Tomcat that runs both DataHub and CAS, we advise to use the same settings as described above. This, because DataHub makes use of Apereo CAS for Authentication. Apereo CAS makes use of Log4j.

Log4j in Elasticsearch

DataHub makes use of Elasticsearch and Elasticsearch itself is using log4j within. To prevent the usage of “Message Lookups” we do advise to use the same settings as advised for Apache Tomcat:

For more information we refer to this site:

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Log4j2 vulnerabily updates (January 5, 2022)

Since our first report on December the 14th new security vulnerabilities in log4j2 have been reported and new versions of log4j have been released. (Log4j 2.16.0, 2.17.0, 2.17.1…)

Latest updates on log4j2 can be found on the apache.org website: Log4j – Apache Log4j 2

Although in most situations having a log4j within our product is no vulnerability risk at all, we decided to keep our software up to date with new releases of log4j.

For both DataHub and DataPlatform new releases with the latest updates are available.

For all environments we still advise to disable message lookups in both Apache Tomcat and in Elasticsearch (as described above)

For more information about latest software releases or vulnerability risks on your specific DataHub or DataPlatform environment, please contact support@humaninference.com.