WSO2 Platform Security

Versions Compared

Old Version 17

changes.mady.by.user Chathura Ranathunga

Saved on

compared with

New Version Current

changes.mady.by.user Sivakumar Sivakumar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Published on: 13/12/2021

Last updated on: 1526/1201/20212022


WSO2 impacted: Yes

Evidence of compromise: No

...

WSO2 Security and Compliance team received notifications that there is a zero-day exploitation on December 10, 2021, with regard to a component which that is being used in multiple WSO2 products and services. Upon notification Security and Compliance team along with the Engineering teams and infrastructure, teams performed a detailed analysis of the WSO2 environment as well as the products which were impacted and mitigation steps were identified. WSO2 Engineering teams tested and confirmed the mitigation steps against the affected products and ensured that all product functionalities are functioning as intended.

...

If you are using a product not listed above, or older versions than listed, as of our current analysis, your deployment is not affected by the vulnerability discussed in CVE-2021-44228 [1], CVE-2021-45046 [3], and CVE-2021-45105 [4]. Therefore, in such deployments, no further remediation actions are required.

...

As per the CVE-2021-44228 [1] and the associated Apache Log4j2 security advisory listed in [2], Apache Log4j2 <=2.15.0 versions are vulnerable to a remote code execution vulnerability. The relevant advisory content published by the Apache Log4j2 team is as follows:

Info
iconfalse
titleDescription from CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

As per the CVE-2021-45046 [3] and the associated Apache Log4j2 security advisory listed in [2], Apache Log4j2 <=2.16.0 versions are vulnerable to a remote code execution vulnerability. The relevant advisory content published by the Apache Log4j2 team is as follows:

...

As per the CVE-2021-45105 [4] and the associated Apache Log4j2 security advisory listed in [2], Apache Log4j2 <=2.17.0 versions are vulnerable to a Denial of Service vulnerability. The relevant advisory content published by the Apache Log4j2 team is as follows:

Info
iconfalse
titleDescription from CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

WSO2 Engineering teams are have already updated the  Log4j 2 version to 2.17.0 and currently working on updating the Log4j 2 version to 2.17.01. WSO2 values both its customers as well as community users. Since this vulnerability is being widely exploited, we urge our community users also to follow the mitigation steps to safeguard their deployments.

It is recommended to apply the below-mentioned temporary mitigation at the earliest possible. Please note that the temporary mitigation script shared below is specific to Linux environments as of now.

...

The temporary mitigation script will remove "org/apache/logging/log4j/core/lookup/JndiLookup.class" from all affected Log4j2 dependencies found within the folder (and associated sub-folders) this script is executed. This approach is also recommended in on the Log4j2 security page [2]. After applying the temporary fix, please ignore the "ClassNotFoundException" exception for the "JndiLookup" class which could occur during the product startup. 

...

Example Docker images for Ubuntu-based distributions: 

Code Block
titleUbuntu based Dockerfile example
linenumberstrue
FROM wso2/wso2is:5.10.0

USER root

RUN \
    apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        zip \
    && rm -rf /var/lib/apt/lists/*

USER wso2carbon

RUN curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh | bash


Identifing Identifying and applying temporary mitigations on CVE-2021-45105 [4]

Please note that WSO2 has analyzed the CVE-2021-45105 , and the associated update of Log4j (2.17.0). The default configurations of WSO2 products are not vulnerable for CVE-2021-45105. We strongly recommends recommend executing the below command from the WSO2 product-home, and confirming that the customized configurations that you use are not vulnerable.

...

If no results were returned by the above command, your deployment is not affected. However, if any matches were identified, please remove references to Context Lookups from the identified configuration file as per the recomendations illustated recommendations illustrated in the CVE-2021-45105 section of Log4j security advisory [2].


If you are intested on CVEinterested in CVE-2021-4104 please have a look at [5].

...