[Announce] Log4j CVE-2021-44228 安全漏洞影响说明

[slievrly]

CVE-2021-44228 Announce

Recently, the mainstream log framework log4j2 was reported with a severe security vulnerability CVE-2021-44228.

The following is a summary of the impact of this vulnerability CVE-2021-44228 on the Seata.

Potential Influence on Seata

CVE-2021-44228 has NO security impact on use of Seata.

log4j-core dependency are not referenced directly or indirectly in the Seata project So you don't need to upgrade the version of Seata for security reasons.

Seata currently contains 82 modules. The following is the dependency analysis of Seata modules on log4j2.

mvn cmd：

mvn dependency:tree -Dverbose -Dincludes=org.apache.logging.log4j

seata-console transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue.In addition,'seata-console' is a newly added module that has not yet been released.

 [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ seata-console ---
 [INFO] io.seata:seata-console:jar:1.5.0-SNAPSHOT
 [INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:compile
 [INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:compile
 [INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:compile
 [INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
 [INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

• seata-server transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue.

  [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ seata-server ---
  [INFO] io.seata:seata-server:jar:1.5.0-SNAPSHOT
  [INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:compile
  [INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:compile
  [INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:compile
  [INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
  [INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

• seata-distribution 通过 spring-boot web 组件传递了 log4j-api 依赖，log4j-api 本身并无安全问题

  [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ seata-distribution ---
  [INFO] io.seata:seata-distribution:pom:1.5.0-SNAPSHOT
  [INFO] \- io.seata:seata-server:jar:1.5.0-SNAPSHOT:compile
  [INFO]    \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:compile
  [INFO]       \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:compile
  [INFO]          \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:compile
  [INFO]             \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
  [INFO]                \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
  [INFO]           \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

• apm-seata-skywalking-plugin transfers log4j-api dependency through spring-boot web. log4j-api itself has no security issue.

  [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ apm-seata-skywalking-plugin ---
  [WARNING] Invalid POM for com.alibaba:druid:jar:1.2.6, transitive dependencies (if any) will not be available, enable debug logging for more details
  [WARNING] Invalid POM for com.alibaba:druid:jar:1.2.6, transitive dependencies (if any) will not be available, enable debug logging for more details
  [INFO] io.seata:apm-seata-skywalking-plugin:jar:1.5.0-SNAPSHOT
  [INFO] \- io.seata:seata-server:jar:1.5.0-SNAPSHOT:provided
  [INFO]    \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:provided
  [INFO]       \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:provided
  [INFO]          \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:provided
  [INFO]             \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:provided
  [INFO]                \- org.apache.logging.log4j:log4j-api:jar:2.13.3:provided

  In addition to the modules shown above, other modules don't depend on org.apache.logging.log4j. Meanwhile, we have analyzed seata-samples and found no dependency on log4j-core, so the security vulnerability does not affect seata-samples. Finally, the Seata community urges people not to exploit security vulnerabilities, to report undiscovered security vulnerabilities, and not to discuss them publicly.

  CVE-2021-44228 漏洞说明

  最近，主流日志组件 log4j2 爆出安全漏洞 CVE-2021-44228。

  以下是漏洞 CVE-2021-44228 对 Seata 的影响说明。

  Seata 影响范围

  CVE-2021-44228 该漏洞并未对 Seata 造成安全影响。

  Seata 的项目中并未直接或间接依赖 log4j-core, 所以你不需要因为安全性问题而升级Seata的版本。

  Seata 共包含82个模块。以下是 Seata 模块对 log4j2 的依赖分析：

  mvn 命令：

  mvn dependency:tree -Dverbose -Dincludes=org.apache.logging.log4j

• seata-console 通过 spring-boot 组件传递了 log4j-api 依赖，log4j-api 本身并无安全问题。另外，seata-console 是一个最新添加尚未发布的模块。

  [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ seata-console ---
  [INFO] io.seata:seata-console:jar:1.5.0-SNAPSHOT
  [INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:compile
  [INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:compile
  [INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:compile
  [INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
  [INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
  

• seata-server 通过 spring-boot 组件传递了 log4j-api 依赖，log4j-api 本身并无安全问题

  [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ seata-server ---
  [INFO] io.seata:seata-server:jar:1.5.0-SNAPSHOT
  [INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:compile
  [INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:compile
  [INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:compile
  [INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
  [INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

• seata-distribution 通过 spring-boot web 组件传递了 log4j-api 依赖，log4j-api 本身并无安全问题

  [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ seata-distribution ---
  [INFO] io.seata:seata-distribution:pom:1.5.0-SNAPSHOT
  [INFO] \- io.seata:seata-server:jar:1.5.0-SNAPSHOT:compile
  [INFO]    \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:compile
  [INFO]       \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:compile
  [INFO]          \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:compile
  [INFO]             \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
  [INFO]                \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
  [INFO]           \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

• apm-seata-skywalking-plugin transfers log4j-api dependency through spring-boot web. log4j-api itself has no security issue.

  [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ apm-seata-skywalking-plugin ---
  [WARNING] Invalid POM for com.alibaba:druid:jar:1.2.6, transitive dependencies (if any) will not be available, enable debug logging for more details
  [WARNING] Invalid POM for com.alibaba:druid:jar:1.2.6, transitive dependencies (if any) will not be available, enable debug logging for more details
  [INFO] io.seata:apm-seata-skywalking-plugin:jar:1.5.0-SNAPSHOT
  [INFO] \- io.seata:seata-server:jar:1.5.0-SNAPSHOT:provided
  [INFO]    \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:provided
  [INFO]       \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:provided
  [INFO]          \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:provided
  [INFO]             \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:provided
  [INFO]                \- org.apache.logging.log4j:log4j-api:jar:2.13.3:provided

  除了上述模块，其他模块也是没有依赖 org.apache.logging.log4j。 同时，我们对 seata-samples 进行了分析，未发现依赖 log4j-core，因此这个安全漏洞不影响 seata-samples. 最后，Seata 社区希望大家不要利用安全漏洞信息，及时上报未发现的安全漏洞，不要在公开场合讨论它们。

[carllhw]

依赖分析确实没有，但是docker镜像里有log4j-1.2.17.jar

~ docker run -ti --rm --entrypoint sh seataio/seata-server:1.4.2
/seata-server # ls -l /seata-server/libs/ | grep log4j
-rw-r--r--    1 root     root        489884 Jan  1  1970 log4j-1.2.17.jar

~ docker run -ti --rm --entrypoint sh seataio/seata-server:latest
# ls -l /seata-server/libs/ | grep log4j
-rw-r--r-- 1 root root  489884 Jan  1  1970 log4j-1.2.17.jar
-rw-r--r-- 1 root root  292301 Jan  1  1970 log4j-api-2.13.3.jar
-rw-r--r-- 1 root root   17461 Jan  1  1970 log4j-to-slf4j-2.13.3.jar

[funky-eyes]

依赖分析确实没有，但是docker镜像里有log4j-1.2.17.jar

~ docker run -ti --rm --entrypoint sh seataio/seata-server:1.4.2
/seata-server # ls -l /seata-server/libs/ | grep log4j
-rw-r--r--    1 root     root        489884 Jan  1  1970 log4j-1.2.17.jar

~ docker run -ti --rm --entrypoint sh seataio/seata-server:latest
# ls -l /seata-server/libs/ | grep log4j
-rw-r--r-- 1 root root  489884 Jan  1  1970 log4j-1.2.17.jar
-rw-r--r-- 1 root root  292301 Jan  1  1970 log4j-api-2.13.3.jar
-rw-r--r-- 1 root root   17461 Jan  1  1970 log4j-to-slf4j-2.13.3.jar

漏洞属于2不是1

[carllhw]

https://logging.apache.org/log4j/1.2/index.html

Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.

CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited.

CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.

[funky-eyes]

https://logging.apache.org/log4j/1.2/index.html

Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.

CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited.

CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.

CVE-2021-44228

[carllhw]

已提一个新的issue https://github.com/seata/seata/issues/4404

[sheng895]

存在高危的安全漏洞Apache Kafka Connect 远程代码执行漏洞 (CVE-2023-25194)