Scan for Log4j usage and fix

MAAP-Project / Community

Issue for MAAP (Zenhub)

2 stars 1 forks source link

Scan for Log4j usage and fix #492

Closed gchang closed 2 years ago

gchang commented 2 years ago

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

bsatoriu commented 2 years ago

I patched the DIT, UAT and Ops Auth servers using CAS's recommended solution. The patch was applied to the CAS, Syncope REST, and Syncope console apps in each respective environment.

I based this plan on the results of scanning for the log4j binaries in each environment. The following argument was added to line 267 of the Tomcat catalina.sh script:

# Patch Log4J vulnerability
# More info: https://apereo.github.io/2021/12/11/log4j-vuln/
JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

gchang commented 2 years ago

This fix is no longer considered sufficient.

https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#option-2-enable-formatmsgnolookups

bsatoriu commented 2 years ago

I'm going to apply the Log4jHotPatch as an interim solution while I work on upgrading the Log4j installations.

bsatoriu commented 2 years ago

The Log4jHotPatch has been deployed to all environments. To ensure the jar is always included within our Java processes, I used the same catalina.sh script approach, replacing the formatMsgNoLookups=true snippet with the following:

# Patch Log4J vulnerability
# More info: https://github.com/corretto/hotpatch-for-apache-log4j2
JAVA_OPTS="$JAVA_OPTS -javaagent:Log4jHotPatch.jar"