A new 0-day vulnerability, formally known as CVE-2021-44228, was published on the NIST National Vulnerability Database on Friday, December 10 and was followed by this NIST entry on December 14th. The vulnerability is found in the Log4j Java library.
Log4j is a popular open-source logging library made by the Apache Software Foundation. The security vulnerability found in Log4j allows hackers to execute remote commands on a target system. The severity of the vulnerability is classified as “Critical” by NIST.
Our investigations show that the Endeavour and Connect applications may have the Log4Shell vulnerability.
Additional information, when available, will also be posted on this page.
Update December 22, 2021: A previous version of this page referenced upgrading to Log4j version 2.16. The most recent guidance (CVE-2021-45105) recommends upgrading to Log4j version 2.17 instead, so the mitigation steps below have been updated to reflect that change.
Our initial testing has indicated that it is possible to upgrade Log4j in the latest ClearOrbit application (6.3) to the Log4j version 2.17 which contains the fix. To update the application please follow these steps:
Download the 2.17 version of Log4j from https://logging.apache.org/log4j/2.x/download.html on your test system.
1. Take a backup of and copy clearorbit.ear from $JBOSS_HOME/standalone/configuration into /tmp
Remove log4j.jar from the clearorbit.ear file: zip -d clearorbit.ear log4j.jar
Rename log4j-core-2.17.0.jar to log4j.jar: cp log4j-core-2.17.0.jar log4j.jar
Add the new log4j file to the clearorbit.ear file: zip -u clearorbit.ear log4j.jar
2. Remove log4j-api.jar from the clearorbit.ear file: zip -d clearorbit.ear log4j-1.2-api-2.8.2.jar
Rename log4j-api-2.17.0.jar to log4j-1.2-api-2.8.2.jar: cp log4j-api-2.17.0.jar log4j-1.2-api-2.8.2.jar
Add the new log4j file to the clearorbit.ear file: zip -u clearorbit.ear log4j-1.2-api-2.8.2.jar
3. Restart the application — complete a set of regression tests in your test system.
If your tests are successful, repeat the process on the production system, or copy the updated clearorbit.ear file from test to production and restart the services.
Customers who are on older versions of the application should contact Support for further guidance.
If it's not possible to quickly update the application, please review the steps below.
Firstly, is the ClearOrbit application publicly accessible? If it can only be accessed internally then the risk is mitigated. If it is public then customers should look to add firewall protection ASAP to mitigate an attack until the software can be patched e.g. the firewall can perform inspection and blocking based off the User Agent and request path with a pattern of \$\{jdni:(ldap|rmi|dns).
We recommend that customers also determine the impact by looking in the JBoss server.log file for "Jndi:ldap". If this is found then there is a higher risk of attack, or an attack has already been instigated.
As per https://nvd.nist.gov/vuln/detail/CVE-2021-44228:
Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
Customers can check the Java version by running "ps -ef | grep java" on the JBoss server, which will show lines such as the following: "root 2572 2484 34 06:45 pts/1 00:00:41 /d0/JAVA/openjdk-1.8.0.302/bin/java". Using Java version 8u121 or above also helps to mitigate the vulnerability.
The log4j version included in the latest clearorbit.ear application file is version 2.8.2 (log4j 2.9). The other recommended mitigation steps (such as applying "-Dlog4j2.formatMsgNoLookups=True" in the JVM start-up command) do not apply until versions > 2.10. To resolve the vulnerability, log4j should be updated as per the above recommendation by IgniteTech, or the JndiLookup.class can be removed from the log4j.jar file inside the clearorbit.ear file:
unzip clearorbit.ear log4j.jar -d .
zip -q -d log4j.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip clearorbit.ear log4j.jar