CVE-2021-44228 (log4j)

[thomasmerz]

Hi there, due to CVE-2021-44228 regarding log4j I did the following scan and found your /opt/MediathekView/MediathekView.jar file that might be vulnerable to this CVE:

#!/usr/bin/sudo /bin/bash

for fs in $(mount|grep -E "btrfs|ext4|xfs"|awk '{print $3}'); do
  echo $fs:
  find $fs/ -xdev -iname "*.jar" -or -iname "*.war" | while read line; do
    if [ $( zip -sf "${line}" | grep org/apache/logging/log4j/core/lookup/JndiLookup.class ) ]; then
       echo "${line}" | tee -a /var/log/CVE-2021-44228.log
    fi
  done
done

I'm using the latest release from August 2021:

$ zypper se -s -i mediathek
Loading repository data...
Reading installed packages...

S  | Name          | Type    | Version  | Arch | Repository
---+---------------+---------+----------+------+------------------
i+ | MediathekView | package | 13.8.0-1 | i386 | (System Packages)

Please check and advice or fix if there's a security problem.

[derreisende77]

We released an update yesterday which fixes the CVE and is currently being deployed to all OS

[thomasmerz]

Thanks, very great! 👍🏻 But did you already note https://github.com/mediathekview/MediathekView/issues/583, too? 🤔

[stefan123t]

@thomasmerz did you also check JARs packaged within EARs, WARs or other JARs ?

[thomasmerz]

@stefan123t , as written above I only searched on "btrfs|ext4|xfs" filesystems and only file-name "*.jar" -or -iname "*.war" - no "*.ear" files.

But, why are you asking, because there are no EAR nor WAR files?

🦎🖥  thomas@merz-nimbus:/opt/MediathekView [0/7675]
16:28 $ find . -iname "*.jar" -or -iname "*.ear" -or -iname "*.war"
./.install4j/user/flatlaf.jar
./.install4j/i4jruntime.jar
./.install4j/launcher15a55f7.jar
./.install4j/launcher97faf575.jar
./.install4j/launcher9ad06d59.jar
./.install4j/user.jar
./jre/lib/jrt-fs.jar
./MediathekView.jar

[stefan123t]

@thomasmerz thanks for explaining and clarifying. Keep up the good work. I was not aware whether MediathekView[Web] may package some parts as WAR/EAR files, e.g. for deployment of the server parts. Just wanted to raise attention that the command you used would not do recursive / deep inspection. Kind regards, Stefan

[thomasmerz]

@stefan123t , if you mean by "not doing recursive inspections" that this does not check WAR files correctly, then you are absolutely right. But MediathekView doesn't use any WAR files, but only JAR files 👍🏻
And my command-sample does check for all local btrfs/ext4/xfs (please modify for your own setup/linux machine!) filesystems and finds all JAR and EAR files on the same filesystems. I xdeved other filesystems due to some remote-mounts that only contain personal data and nothing related to java or other binaries/apps.
Just for clarification 😉