Raytion’s Response to Log4Shell (CVE-2021-44228)

Raytion’s Response to Log4Shell (CVE-2021-44228)
Dezember 15, 2021 rt_admin

Raytion Enterprise Search Connectors

Raytion Enterprise Search Connectors are not affected by CVE-2021-44228 since they are not using log4j2.

All Raytion Enterprise Search Connectors use log4j1 version which is not vulnerable to CVE-2021-44228. We have done additional analysis and a similar vulnerability can only be exploited if all of the following non-default configurations are in place:

  • The JMS Appender is configured in the application’s Log4j configuration
  • The javax.jms API is included in the application’s CLASSPATH
  • The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application’s configuration, or by trusted code setting a property at runtime

There do exist a few CVEs for log4j which all are not affecting our Raytion Enterprise Search Connectors:

  • CVE-2019-17571 does not affect Raytion Enterprise Search Connectors since a specific, non-default, specific configuration is required.
  • CVE-2020-9488 does not affect Raytion Enterprise Search Connectors since a specific, non-default, specific configuration is required.

It may be worthwhile checking if the connector configuration has been adapted by you.

Please note: Raytion does not deliver any Raytion Enterprise Search Connector product with those non-default settings.

 

Raytion Search & Retrieval Interface (SRI)

Raytion SRI version 6.7+ and 7.x is affected by CVE-2021-44228SRI as an affected version of log4j2 is used.

Quick fix:

Linux and Windows command line:

Set -Dlog4j2.formatMsgNoLookups=true as JVM_PARAMS in ext/setenv.(sh|bat)

Windows Service:

Add -Dlog4j2.formatMsgNoLookups=true as procrun parameters

Resolution:

  • Upgrade to log4j 2.17 manually:
    • Place log4j-1.2-api, log4j-api, log4j-core,log4j-slf4j-impl and log4j-jul JARs of version 2.17 in ext/lib.
    • Stop SRI
    • Remove the old and affected log4j-1.2-api, log4j-api, log4j-core,log4j-slf4j-impl and log4j-jul JARs from folder app/WEB-INF/lib
    • Start SRI
  • Future SRI releases will include log4j 2.17 at minimum.

The following additional CVE within log4j2 does not affect Raytion SRI:

CVE-2021-45046: Thread Context Map not used by SRI; pattern not used and not exploitable. Other Context Lookups not part of default SRI log patterns.

 

Raytion Search Experience Manager (SXM)

Please refer to “Raytion Search & Retrieval Interface”.

 

Raytion Custom Security Manager (CSM)

Raytion CSM version 7.x is not vulnerable to CVE-2021-44228 since the affected log4j2 library is not part of this product.

Raytion CSM prior to version 7.x is also not vulnerable to CVE-2021-44228 as these versions use log4j version 1. We have done additional analysis and a similar vulnerability can only be exploited if all of the following non-default configurations are in place:

  • The JMS Appender is configured in the application’s Log4j configuration
  • The javax.jms API is included in the application’s CLASSPATH
  • The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application’s configuration, or by trusted code setting a property at runtime

There do exist a few CVEs for log4j which all are not affecting our Raytion CSM

  • CVE-2019-17571 does not affect Raytion Enterprise Search Connectors since a specific, non-default, specific configuration is required.
  • CVE-2020-9488 does not affect Raytion Enterprise Search Connectors since a specific, non-default, specific configuration is required.

It may be worthwhile checking if the connector configuration has been adapted by you.

Raytion does not deliver any Raytion CSM product with those non-default settings.

 

Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 exploitation

The following references may be of further help for you and your IT teams making sure you are protected from attacks against VE-2021-44228.

 

Update 2021-12-14, 9pm CET via announce@apache.org:  log4j2.16.0 fixes another, moderate CVE present in previous versions. Refer to https://logging.apache.org/log4j/2.x/security.html