rce affected by CVE-2021-44228 / Log4j bug?

[warnkenisd]

Hi, we are using rcenvironment / rce at iwes.uni-hannover.de. I just scanned the files of version 10.2.4 and found dependencies on log4j 1.10.3. E.g. in rce-10.2.4.202108191008-standard-win32.x86_64\rce\plugins\org.apache.ant_1.10.3.v20180417-1627\META-INF\maven\org.eclipse.orbit.bundles\org.apache.ant

Do you have any recommendations or updates? log4j version 1 is not affected by the bug but it is not recommended for use because of other security flaws (in german: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/211211_log4Shell_WarnstufeRot.html )

Best regards, Stefan Warnken

[rmischke-dlr]

Hi, we did a first evaluation on Friday when the vulnerability was announced. So far, everything points to RCE not being affected, as we are not using a vulnerable log4j version. This is the same for all RCE releases ever made.

We are currently examining this in more detail to be as sure as possible about this before we make a public "not vulnerable" statement. This will probably be announced via mailing list and/or the website.

Regarding the scan result you mentioned: We are aware of this outdated library, but have already investigated this as a part of our standard dependency management process. During this review, we have found that all known CVEs in it are not exploitable as part of our application. This is due to the vulnerable code not being reachable by outside users, so it can not be used to gain unauthorized access.

Roadmap/release context: Before the log4j issue became known, we already updated some libraries as part of the current RCE 10.3.0 release. Coincidentially, we also scheduled a more wide-ranging library upgrade, probably for 10.4.0. In this, we are planning to upgrade or get rid of various non-critical older dependencies, which also involve some low-impact or non-exploitable CVEs like the one you pointed out. This is somewhat restricted by our need to stay backwards compatible with JRE 8, however, which in turn limits how far we can upgrade the underlying version of Eclipse/RCP, the platform which RCE is built on. All dependencies of that platform itself are hard to replace. We will drop the JRE 8 limitation in RCE 11.0.0, allowing us to finally upgrade those dependencies, too.

[rmischke-dlr]

For reference, these are the library upgrades included in RCE 10.3.0 (technically released on Dec 9, announcement delayed for unrelated reasons):

• Upgraded Apache SSHD (SSH/Uplink server port) to 2.7.0
• Upgraded Bouncy Castle (Cryptography) to 1.69
• Upgraded Cucumber (QA library) to 1.2.6
• Upgraded Ant (QA dependency) to 1.10.12

As you can see, Ant was upgraded to 1.10.12, which fixes all known CVEs.

[warnkenisd]

Thanks a lot! We'll upgrade our servers.

[rmischke-dlr]

Our internal examination is now complete, and as expected from the first check, no vulnerability to CVE-2021-44228 was found.

For reference: We have manually examined the current source repository (equal to the 10.3.0 release) for dependencies, and have also applied an up-to-date automated vulnerability scanner to the release builds of:

• RCE 10.3.0
• RCE 10.2.4 (previous 10.x release)
• RCE 9.1.1 (latest 9.x release)
• RCE 8.3.0 (latest 8.x release -- EOL/unsupported, but checked for completeness)

Before applying the scanner on RCE, we cross-validated the scanner by running it on log4j 2.14.1, which was detected correctly.