[Ambience 4.x]: Zero day exploits and vulnerability in log4j 2.x, logback

This entry covers the logback injection vulnerability CVE-2021-42550, former log4j vulnerability regarding the Zero-day exploit with the CVE-ID of “CVE-2021-44228” & the recent vulnerability with the CVE-ID of “CVE-2021-45046”.

Reference Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046


Description:
[CVE-2021-44228, log4j] - A Zero-day exploit
JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

[CVE-2021-45046, log4j]
The fix to address CVE-2021-44228 was incomplete in certain non-default configurations which could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Patter layout with either a Context Lookup or a Thread Context Map pattern resulting in a Denial of Service (DoS).

[CVE-2021-42550, logback]
Injection vulnerability; an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.


Affected log4j versions:

  • All Apache log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2
    >= 2.0-beta9 <= 2.15.0, excl. 2.12.2

Resolution:

  • Remove the log4j library from the \lib directory of the Ambience Server installation.
    Elixir Ambience doesn't use log4j (any version) in any 4.x release, it uses logback as its implementation and doesn't initialize log4j in its bootup. Some 3rd party libraries have direct dependencies on log4j and are used in Ambience 4.x, but logback was initialized for that, so those 3rd party libraries do not actually use log4j at all. Deleting the log4j library from the \lib directory of the Ambience Server won't impact the running of the Ambience 4.x Server instance itself but do monitor the daily usage activities of the Ambience Server to ensure no exceptions occur in the Ambience Server logs after the log4j library is removed, e.g. rendering of report templates to excel outputs.

Affected logback versions:

  • All logback versions 1.2.7 and prior
    <=1.2.7

Resolution:

  • Upgrade from logback 1.2.x to logback 1.2.9
    Replace the existing logback libraries in the \lib directory of the Ambience Server installation with this: logback-1.2.9.zip (679.7 KB)

The above are interim approaches to existing Ambience Server versions 4.6.5 and below. A new version of Elixir Ambience is currently in development to directly address the above issues and include updated libraries scheduled for early 2022 release.