Apache CVE-2021-44228 log4j Remote Code Execution Vulnerability Resolution

mumcs01

On December 9th, 2021, an exploit was discovered in the widely used Apache Log4j logging libraries. This bug exposes a class of security vulnerability known as a Remote Code Execution Vulnerability. This package is widely used in Java-based enterprise applications and cloud services across verticals and institutions worldwide. Mango also uses this package.

Following the publication of this information by Apache, Radix has produced two high-priority security updates:
• 4.2.4 which is an update to the 4.2 series of Mango.
• 3.7.9 is an update to the legacy 3.7 series of Mango.

All customers, specifically those with public IP-facing connections, should immediately upgrade to mitigate the risk of this exploit.

For customers that are unable for technical reasons to upgrade to these newest versions, the is a manual alternative that can be followed below depending on your version.

Further public information can be found on this exploit here: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

Version: Mango 4.0+

Linux Environments

If you are starting Mango via start-mango.sh or our supplied systemd mango.service file:

• If you do not have start-options.sh in your data directory:
  • Copy start-options.sh from Mango installation directory to your data directory
  • Edit start-options.sh and add the following line:

MA_JAVA_OPTS="$MA_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

• Restart Mango

Verify that Mango loaded your start-options.sh file and the java process was started with the -Dlog4j2.formatMsgNoLookups=true option:

ps aux | grep java

If you are not using Mango's supplied start-mango.sh or mango.service file to start Mango:

• Set the Java system property log4j2.formatMsgNoLookups=true (This is done by providing the following argument to java -Dlog4j2.formatMsgNoLookups=true)
• Restart Mango

Windows Environments

• Ensure the java property log4j2.formatMsgNoLookups is set to true. This is done by adding -Dlog4j2.formatMsgNoLookups=true to the Java command that starts Mango.
• Restart Mango

Version: Mango 3.6-3.7

Linux Environments
The fix is dependent on how Mango is being started. By default Mango will use the ma.sh start command, if you are using this command:

• Add an extension to the bin/ext-enabled folder that is an executable file with this content:

#!/bin/bash

case "$1" in

    init)

    #Disable lookups during message formatting

  JAVAOPTS="$JAVAOPTS -Dlog4j2.formatMsgNoLookups=true"

        ;;

esac

• Restart Mango

Windows Environments

• Ensure the java property log4j2.formatMsgNoLookups is set to true. This is done by adding -Dlog4j2.formatMsgNoLookups=true to the Java command that starts Mango.
• Restart Mango

If you have questions please contact Radix IOT customer support at support@radixiot.com

mumcs01

Additionally, the following test can be performed at a command prompt to test if the instance of Mango is vulnerable:

Execute the following:

curl "https://mango.example.com:8443/$\{java:runtime\}" --data ""

Following this, Check the ma.log file or stdout

If the instance is vulnerable you will see the following:

WARN  2021-12-10T15:50:05,553 (com.serotonin.m2m2.web.mvc.spring.security.MangoAccessDeniedHandler.handle:65)[MangoAccessDeniedHandler] - Access denied to resource '/OpenJDK Runtime Environment (build 17+35-LTS) from Azul Systems, Inc.', for user '', IP address '127.0.0.1'

If the instance is already patched and not vulnerable you will be the following:

WARN  2021-12-10T15:53:31,895 (com.serotonin.m2m2.web.mvc.spring.security.MangoAccessDeniedHandler.handle:65)[MangoAccessDeniedHandler] - Access denied to resource '/${java:runtime}', for user '', IP address '127.0.0.1'

dhckris

@mumcs01 Thank you for the post!
Any timeline on updating to log4j 2.16?
Apache put out a bulletin [1] regarding there still being pathways to exploit that 2.15 doesn't resolve.
[1] https://logging.apache.org/log4j/2.x/security.html

Jared Wiltshire

@dhckris said in Apache CVE-2021-44228 log4j Remote Code Execution Vulnerability Resolution:

@mumcs01 Thank you for the post!
Any timeline on updating to log4j 2.16?
Apache put out a bulletin [1] regarding there still being pathways to exploit that 2.15 doesn't resolve.
[1] https://logging.apache.org/log4j/2.x/security.html

Mango by default would not be affected by CVE-2021-45046 as we do not use the patterns mentioned in our default logging configuration. However since users have the ability to customize their Log4J configurations we will schedule another release to upgrade to Log4J 2.16.0. Better safe than sorry!

Jared Wiltshire

Mango 4.2.5 has been released

Update log4j2 to version 2.16.0, fix for CVE-2021-45046

dhckris

@jared-wiltshire Awesome! Thanks for the super speedy update.

Jared Wiltshire

Mango 3.7.11 has been released

Update log4j2 to version 2.16.0, fix for CVE-2021-45046

Jared Wiltshire

Update: There is a 3rd vulnerability reported in log4j - CVE-2021-45105

Mango is not affected by this particular vulnerability as

• Mango does not use a context lookup in any of the patterns in the supplied log4j2.xml file
• Our codebase does not make use of the org.apache.logging.log4j.ThreadContext class

For more information, please see https://logging.apache.org/log4j/2.x/security.html

Mango will update to Log4J version 2.17.0 with our next release, however we do not believe this new CVE warrants an immediate patch.