search

h-mdm / hmdm-server

Mobile Device Management System for Android: web control panel. Manage Android devices, install and update apps, get device info. See website for more features!
https://h-mdm.com
Apache License 2.0
271 stars 124 forks source link

Log4j Vuln #94

Open ertugrulturan opened 5 months ago

ertugrulturan commented 5 months ago

Log4j 1.2 to 1.2.17 image https://logging.apache.org/log4j/1.x/ <- eol + vulned version

TommyTran732 commented 1 month ago

@h-mdm Any chance you can take a look at https://reload4j.qos.ch/?

It should be a drop in replacement for log4j 1.2.17, so you don't need to update the code base. The vuln is quite dangerous so it would be great to just have this as a quick fix for now.

h-mdm commented 1 month ago

I have implemented an exploit of CVE-2021-44228 mentioned in https://www.lunasec.io/docs/blog/log4j-zero-day/, and it didn't work. The line ${jndi:ldap://127.0.0.1/a} is logged as it is, no attempt to remote access by JNDI is done. So I believe the vulnerability CVE-2021-44228 is not applicable for Headwind MDM (probably because only text loggers are used).

TommyTran732 commented 1 month ago

I still think it is pretty bad to keep using this old version though. It is not the only known CVE for it. I don't see any harm in at bumping to reload4j. The MDM is security critical so I'd prefer if theres no known vulnerable dependencies.

TommyTran732 commented 1 month ago

I'd like to add that I scanned the dependences and there are a lot of known vulnerabilities as well. Some are several years old. The log4j is just the most iffy one.

h-mdm commented 1 month ago

Thank you for the info, will work on that.