Log4j and log4j2 library vulnerability
-
@privsec I'm already receiving exploit/scan attempts inbound. No successful exploits. I believe nothing in my cloudron stack uses it. I can't find any confirmation nextcloud does. If you find something i'd love it asap.
-
B BrutalBirdie referenced this topic on
-
@privsec I tested nextcloud with a log4j2 testing tool from huntress and I couldn't get it to callback to the ldap server so i think its gtg.
Here's a maintained list with log4j advisories: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
log4j detector: https://github.com/mergebase/log4j-detector
-
Here's a maintained list with log4j advisories: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
log4j detector: https://github.com/mergebase/log4j-detector
Docker Scan should allow us to scan cloudron containers if any doubt remains :
https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/edit : https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0
-
Docker Scan should allow us to scan cloudron containers if any doubt remains :
https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/edit : https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0
This tool is also neat, with or without cloudron context : https://github.com/fullhunt/log4j-scan
-
"Log4j 2.15.0 and previously suggested mitigations may not be enough" - https://isc.sans.edu/diary/Log4j+2.15.0+and+previously+suggested+mitigations+may+not+be+enough/28134
-
"Log4j 2.15.0 and previously suggested mitigations may not be enough" - https://isc.sans.edu/diary/Log4j+2.15.0+and+previously+suggested+mitigations+may+not+be+enough/28134
@girish I ran https://github.com/mergebase/log4j-detector today and it seems that at least SOLR is vulnerable(?)
/proc/5961/task/9300/cwd/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( /var/lib/docker/overlay2/32ab0d12f3342918d0ffea4a1392cb760f852f9bf0a219c682dd366ff26e72bc/diff/usr/share/java/log4j-1.2-1.2.17.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-| /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( -
@girish I ran https://github.com/mergebase/log4j-detector today and it seems that at least SOLR is vulnerable(?)
/proc/5961/task/9300/cwd/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( /var/lib/docker/overlay2/32ab0d12f3342918d0ffea4a1392cb760f852f9bf0a219c682dd366ff26e72bc/diff/usr/share/java/log4j-1.2-1.2.17.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-| /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-( -
@nebulon ping
Can you check that out?@brutalbirdie just because the library is used, does not mean the app is actually vulnerable. In either case all we can really do from our side is to closely track upstream releases during such times and release new app packages asap. We usually can't really patch the upstream apps easily. In this case it seem to be prometheus related? @necrevistonnezr do you know to which app those layers in your case are related to?
-
@brutalbirdie just because the library is used, does not mean the app is actually vulnerable. In either case all we can really do from our side is to closely track upstream releases during such times and release new app packages asap. We usually can't really patch the upstream apps easily. In this case it seem to be prometheus related? @necrevistonnezr do you know to which app those layers in your case are related to?
-
@nebulon The only SOLR instance is the Cloudron internal mail indexing, in my case.
-
I am aware of solr being detected by the static analyzers (the marketplace images complain about the same). solr is used internally for full text search in the mail container. It's not on by default and it's also not exposed outside the internal docker network (so not exposed to outside world).
Still, we will update the mail container. Solr only put out a new release yesterday which update log4j.
-
I am aware of solr being detected by the static analyzers (the marketplace images complain about the same). solr is used internally for full text search in the mail container. It's not on by default and it's also not exposed outside the internal docker network (so not exposed to outside world).
Still, we will update the mail container. Solr only put out a new release yesterday which update log4j.
@girish min patch to rectify log4j2 issues is 2.16 .. 2.15 is affected by cvss 9.0 rce in some instances.
-
Docker Scan should allow us to scan cloudron containers if any doubt remains :
https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/edit : https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0
@rmdes good suggestion.
-
@rmdes good suggestion.
@mastadamus I'm happy to report that Crowdsec successfully responded to a log4j exploit scanner. If you set up your nginx log configuration per my post in support, and install the nginx collection as well as the log4j2 collection with an firewall iptable bouncer it will auto block any ip belonging to an attempt it parses out.
crowdsec crowdsecurity/apache_log4j2_cve-2021-44228 Ip 45.83.65.33 2021-12-17 07:55:25 2021-12-17 07:55:25
-
@mastadamus I'm happy to report that Crowdsec successfully responded to a log4j exploit scanner. If you set up your nginx log configuration per my post in support, and install the nginx collection as well as the log4j2 collection with an firewall iptable bouncer it will auto block any ip belonging to an attempt it parses out.
crowdsec crowdsecurity/apache_log4j2_cve-2021-44228 Ip 45.83.65.33 2021-12-17 07:55:25 2021-12-17 07:55:25
@mastadamus do you have a step by step instructions to setup crowdsec in a cloudron context ?
-
@mastadamus do you have a step by step instructions to setup crowdsec in a cloudron context ?
@rmdes I'll put one together later tonight.
-
@mastadamus do you have a step by step instructions to setup crowdsec in a cloudron context ?
-
@mastadamus thanks alot, will try to implement this & will report under your post
