WSO2 impacted: Yes
Evidence of compromise: No
Customers actions required: Yes
WSO2 Security and Compliance team received notifications that there is a zero day exploitation on December 10, 2021 with regard to a component which is being used in multiple WSO2 products and services. Upon notification Security and Compliance team along with the Engineering teams and infrastructure teams performed detailed analysis of the WSO2 environment as well as the products which were impacted and mitigation steps were identified. WSO2 Engineering teams tested and confirmed the mitigation steps against the affected products and ensured that all product functionalities are functioning as intended.
Impact on WSO2 Products and Deployments
This announcement is applicable only for the following product versions:
- WSO2 Identity Server 5.9.0 and above
- WSO2 Identity Server Analytics 5.7.0 and above
- WSO2 Identity Server as Key Manager 5.9.0 and above
- WSO2 API Manager 3.0.0 and above
- WSO2 API Manager Analytics 2.6.0 and above
- WSO2 Enterprise Integrator 6.1.0 and above
- WSO2 Enterprise Integrator Analytics 6.6.0 and above
- WSO2 Micro Integrator 1.1.0 and above
- WSO2 Micro Integrator Dashboard 4.0.0 and above
- WSO2 Micro Integrator Monitoring Dashboard 1.1.0 and above
- WSO2 Stream Processor 4.0.0 and above
- WSO2 Stream Integrator 1.0.0 and above
- WSO2 Stream Integrator Tooling 1.0.0 and above
- WSO2 Open Banking AM 2.0.0 and above
- WSO2 Open Banking KM 2.0.0 and above
If you are using a product not listed above, or older versions than listed, as of our current analysis, your deployment is not affected by the vulnerability discussed in CVE-2021-44228 . Therefore, in such deployments, no further remediation actions are required.
If you are a WSO2 support customer, please follow the security announcements WSO2 made on Dec 11, 2021 and Dec 12, 2021 through the WSO2 support portal immediately. If you need any further information or assistance, please reach the WSO2 support team.
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.As per the CVE-2021-44228  and the associated Apache Log4j2 security advisory listed in , Apache Log4j2 <=2.14.1 versions are vulnerable to a remote code execution vulnerability. The relevant advisory content published by Apache Log4j2 team is as follows:
WSO2 Engineering teams are working on updating the Log4j 2 version to 2.15.0. WSO2 values both its customers as well as community users. Since this vulnerability is being widely exploited, we urge our community users also to follow the mitigation steps to safeguard their deployments.
It is recommended to apply the below mentioned temporary mitigation at earliest possible. Please note that the temporary mitigation script shared below is specific to Linux environments as of now..
Temporary mitigation steps:
- Ensure that you have "zip" and "unzip" commands installed on the server hosting the product.
- You can follow any of the following options
- Option 1: Navigate to the product-home folder and run the following command (without quotes): "curl https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh | bash"
- Option 2:
- Download the script from https://raw.githubusercontent.com/wso2/security-tools/master/internal/update-scripts/CVE-2021-44228-mitigation.sh
- copy the script into the product-home
- Run the script from product-home, using the following command (without quotes): "bash CVE-2021-44228-mitigation.sh"
- After executing the above script, restart the product.
The temporary mitigation script will remove "org/apache/logging/log4j/core/lookup/JndiLookup.class" from all affected Log4j2 dependencies found within the folder (and associated sub-folders) this script is executed. This approach is also recommended in Log4j2 security page . After applying the temporary fix, please ignore the "ClassNotFoundException" exception for the "JndiLookup" class which could occur during the product startup.
If you are using Docker images in your deployment, it's advised to temporarily create a new Docker image, running the provided script as an additional build step of the image.
Example Docker images for Ubuntu based distributions:
We will update this announcement if further actions are required.