Java / Log4J Vulnerability – Updated

Log4j vulnerability [Update]

This vulnerability notification has been updated on December 29 2021 to include a 4th issue affecting Apache Log4J. Please read below for new remediation strategies.

Log4j vulnerability in Servoy products

Servoy servers make use of Apache Log4j, a widely used Java logging library. Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability which when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The original vulnerability found is regarded as “critical”: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

The second/related vulnerability is regarded as “critical”: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

The third vulnerability is regarded as “high”: https://nvd.nist.gov/vuln/detail/CVE-2021-45105

The fourth vulnerability is regarded as “unknown”: https://nvd.nist.gov/vuln/detail/CVE-2021-44832

What is Servoy Doing in Response?

Servoy Distributions

Servoy is closely monitoring this vulnerability and has already applied patches for the following releases by providing log4j 2.17.1.

• v2022.03 (Nightly)
• v2021.12 RCx (Nightly)
• v2021.03.x LTS
• v2020.03.x LTS

These patches may be obtained from our build server starting December 30 2021.

Servoy Cloud

As of December 30, ServoyCloud production instances will be automatically secured against this threat, pending a rebuild. Servoy cloud pipeline customers can also begin building with the patched versions. The patches are applied at build-time, so EVERY version will be auto-patched if built in the ServoyCloud Pipeline.

How can this be remediated w/o updating Servoy Version updates ?

NOTE: The previous remediation strategy, of applying a Java Runtime Argument ( -Dlog4j2.formatMsgNoLookups=true ) is rendered incomplete by the introduction of the second vulnerability.

To remediate the vulnerability, it is recommended that you replace the log4j jar dependencies in your deployed applications with the latest patch from Apache.

Download the log4j patches from Apache

https://logging.apache.org/log4j/2.x/download.html

Unzip the distribution and copy/extract the following jars into a directory

• log4j-api-2.17.1.jar
• log4j-core-2.17.1.jar
• log4j-slf4j 18-impl-2.17.1.jar *NOTE: There is another jar by a similar name. Choose this one, having “18” in the name (Or the previous one from a prior patch)
• log4j-web-2.17.1.jar

Updating a .war file

1. Unzip the war file using your favorite utility and navigate into <war-directory-name>/WEB-INF/lib
2. Delete the 4 log4j-* files NOTE: Be sure to really delete. Do not just copy the new files overtop.
3. Copy in the 4 jar files obtained from Apache.
4. Zip the directory back up and make sure it has a .war extension again.
5. Re-deploy the war file to your servers.

Updating Servoy Developer

While Servoy Developer itself is not vulnerable. The log4j dependencies will be exported when generating .war files from the IDE.

1. Shutdown developer and navigate to the <servoy-install>/application_server/lib directory.
2. Delete the 4 log4j-* files NOTE: Be sure to really delete. Do not just copy the new files overtop.
3. Copy in the 4 jar files obtained from Apache.
4. Restart Developer

Updating Classic Server

Servoy Application Server from legacy versions can be installed as a stand-alone Tomcat container with applications deployed via .servoy export files only (non-war deployment). If you still deploy your applications via .servoy exports, please follow the above instructions for Updating Servoy Developer on your server installation. Be sure to STOP tomcat before replacing the jars.

* Look into our Servoy Cloud offering, where security issues are continuously monitored by bots & experts and resolved for you as soon as they arise. Automatically. Contact your Servoy Sales rep for details on how to obtain a hassle free Servoy deployment.