||
Skip to end of metadata
Go to start of metadata

Version: 4.0

Published on: 13/12/2021

Last updated on: 15/12/2021


WSO2 impacted: Yes

Evidence of compromise: No

Customers actions required: Yes


Reported Incident

WSO2 Security and Compliance team received notifications that there is a zero day exploitation on December 10, 2021 with regard to a component which is being used in multiple WSO2 products and services. Upon notification Security and Compliance team along with the Engineering teams and infrastructure teams performed detailed analysis of the WSO2 environment as well as the products which were impacted and mitigation steps were identified. WSO2 Engineering teams tested and confirmed the mitigation steps against the affected products and ensured that all product functionalities are functioning as intended.


Impact on WSO2 Products and Deployments

This announcement is applicable only for the following product versions

  • WSO2 Identity Server 5.9.0 and above
  • WSO2 Identity Server Analytics 5.7.0 and above
  • WSO2 Identity Server as Key Manager 5.9.0 and above
  • WSO2 API Manager 3.0.0 and above
  • WSO2 API Manager Analytics 2.6.0 and above
  • WSO2 Enterprise Integrator 6.1.0 and above
  • WSO2 Enterprise Integrator Analytics 6.6.0 and above 
  • WSO2 Micro Integrator 1.1.0 and above 
  • WSO2 Micro Integrator Dashboard 4.0.0 and above 
  • WSO2 Micro Integrator Monitoring Dashboard 1.1.0 and above 
  • WSO2 Stream Processor 4.0.0 and above 
  • WSO2 Stream Integrator 1.0.0 and above 
  • WSO2 Stream Integrator Tooling 1.0.0 and above 
  • WSO2 Open Banking AM 2.0.0 and above
  • WSO2 Open Banking KM 2.0.0 and above
  • WSO2 Open Banking BI 1.3.0 and above
  • WSO2 Micro Gateway 3.2.0 and above

If you are using a product not listed above, or older versions than listed, as of our current analysis, your deployment is not affected by the vulnerability discussed in CVE-2021-44228 [1], CVE-2021-45046 [3] and CVE-2021-45105 [4]. Therefore, in such deployments, no further remediation actions are required.

Support Customers

If you are a WSO2 support customer, please follow the security announcements WSO2 made on 2021 December 11, 12, 13, 15, 16, and 19 through the WSO2 support portal immediately. If you need any further information or assistance, please reach the WSO2 support team. 


If you are not a WSO2 customer who is affected by this security incident, please reach us through the Contact Us form for further assistance.

As per the CVE-2021-44228 [1] and the associated Apache Log4j2 security advisory listed in [2], Apache Log4j2 <=2.15.0 versions are vulnerable to a remote code execution vulnerability. The relevant advisory content published by Apache Log4j2 team is as follows:

Description from CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

As per the CVE-2021-45046 [3] and the associated Apache Log4j2 security advisory listed in [2], Apache Log4j2 <=2.16.0 versions are vulnerable to a remote code execution vulnerability. The relevant advisory content published by Apache Log4j2 team is as follows:

Description from CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.

As per the CVE-2021-45105 [4] and the associated Apache Log4j2 security advisory listed in [2], Apache Log4j2 <=2.17.0 versions are vulnerable to a Denial of Service vulnerability. The relevant advisory content published by Apache Log4j2 team is as follows:

Description from CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

WSO2 Engineering teams are working on updating the Log4j 2 version to 2.17.0. WSO2 values both its customers as well as community users. Since this vulnerability is being widely exploited, we urge our community users also to follow the mitigation steps to safeguard their deployments.

It is recommended to apply the below mentioned temporary mitigation at earliest possible. Please note that the temporary mitigation script shared below is specific to Linux environments as of now.

Temporary mitigation steps on CVE-2021-44228 [1] and CVE-2021-45046 [3]

  1. Ensure that you have "zip" and "unzip" commands installed on the server hosting the product. 
  2. You can follow any of the following options
    1. Option 1: Navigate to the product-home folder and run the following command (without quotes): "curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh | bash"
    2. Option 2:
      1. Download the script from https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh
      2. Copy the script into the product-home
      3. Run the script from product-home, using the following command (without quotes): "bash CVE-2021-44228-mitigation.sh"
  3. After executing the above script, restart the product.

The temporary mitigation script will remove "org/apache/logging/log4j/core/lookup/JndiLookup.class" from all affected Log4j2 dependencies found within the folder (and associated sub-folders) this script is executed. This approach is also recommended in Log4j2 security page [2]. After applying the temporary fix, please ignore the "ClassNotFoundException" exception for the "JndiLookup" class which could occur during the product startup. 

If you are using Docker images in your deployment, it's advised to temporarily create a new Docker image, running the provided script as an additional build step of the image. 

Example Docker images for Ubuntu based distributions: 

Ubuntu based Dockerfile example
FROM wso2/wso2is:5.10.0

USER root

RUN \
    apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        zip \
    && rm -rf /var/lib/apt/lists/*

USER wso2carbon

RUN curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh | bash


Identifing and applying temporary mitigations on CVE-2021-45105 [4]

Please note that WSO2 has analyzed the CVE-2021-45105, and the associated update of Log4j (2.17.0). The default configurations of WSO2 products are not vulnerable for CVE-2021-45105. We strongly recommends executing the below command from the WSO2 product-home, and confirming that the customized configurations that you use are not vulnerable.

Linux environments:

grep -R '${ctx:' . | grep 'log4j'

Windows environments (using Powershell):

Get-ChildItem -recurse | Select-String -ErrorAction SilentlyContinue -pattern '\${ctx:' | group path | select name | Select-String 'log4j'

If no results were returned by the above command, your deployment is not affected. However, if any matches were identified, please remove references to Context Lookups from the identified configuration file as per the recomendations illustated in the CVE-2021-45105 section of Log4j security advisory [2].


If you are intested on CVE-2021-4104 please have a look at [5].


We will update this announcement if further actions are required.

References

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-44228

[2] https://logging.apache.org/log4j/2.x/security.html

[3] https://nvd.nist.gov/vuln/detail/CVE-2021-45046

[4] https://nvd.nist.gov/vuln/detail/CVE-2021-45105

[5] https://docs.wso2.com/display/Security/CVE-2021-4104 

  • No labels