Significant security vulnerability discovered in Log4j

Nils Breunese nils at breun.nl
Sun Dec 12 12:36:34 UTC 2021 

Joshua Root <jmr at macports.org> wrote:

> On 2021-12-12 20:02 , Nils Breunese wrote:
>> It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A port that includes a file called log4j-$version.jar with $version in the range 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ inside a compressed archive, like a .war file (basically a zip file). I’m not sure how we could check all ports for this without installing all of them.
> 
> Not all ports have installed file information available, but the web app can search the ones that do:
> 
> <https://ports.macports.org/search/?installed_file=log4j&q=>

I’ve locally installed those five ports and found two ports that come with vulnerable versions of Log4J 2.x:

1. apache-solr8 8.9.0_0 includes log4j-core-2.13.2.jar, which is a vulnerable version of Log4J 2.x

https://github.com/apache/solr/pull/454#issuecomment-991066278 says: "Just open your solr.in.sh in your favorite editor and add SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true". Restart Solr. Done, all safe.”

This could be added in /opt/local/share/java/solr-8.9.0/bin/solr.in.sh.

2. elasticsearch 7.15.2_0 includes log4j-core-2.11.1.jar, which is a vulnerable version of Log4J 2.x

https://github.com/elastic/elasticsearch/issues/81618 says: "This can be mitigated for the time being by adding -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS". I think I’d add -Dlog4j2.formatMsgNoLookups=true in /opt/local/etc/elasticsearch/jvm.options, or add ES_JAVA_OPTS="$ES_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true" at the end of /opt/local/bin/elasticsearch-env.

The other three ports (gradle, mvnd, NetBeans) do not include Log4J 2.x.

The vulnerability can generally be mitigated by setting the system property log4j2.formatMsgNoLookups to true (e.g. by passing -Dlog4j2.formatMsgNoLookups=true to a java startup command), or by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

For versions of Log4J 2.x older than these properties are not read yet. In that case you might want to delete the JndiLookup class from the log4j-core file:

	zip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Nils.

More information about the macports-dev mailing list