Most Popular
Recently Added
Recently Updated

Log4J Vulnerability

CVE-2021-44228
The vulnerability CVE-2021-44228 is a remote code execution (RCE) vulnerability in Apache Log4j 2.0.1 through 2.14.1 that can be exploited over the network without authentication. Due to the severity of this vulnerability and the publication of exploit code on various sites, JumpMind strongly recommends applying updates or mitigations as soon as possible

CVE-2021-45046
The vulnerability CVE-2021-45046 is a denial of service (DoS) vulnerability in Apache Log4j 2.0.1 through 2.15.0 that can be exploited if the attacker can input into the logging context. Exposure to this vulnerability is limited to authorized users of SymmetricDS who have privilege to add new node groups and nodes.

CVE-2021-45105
The vulnerability CVE-2021-45105 is a denial of service (DoS) vulnerability in Apache Log4j 2.0.1 through 2.16.0 that can be exploited if the attacker can input into the logging context. Exposure to this vulnerability is limited to authorized users of SymmetricDS who have privilege to add new node groups and nodes.

CVE-2021-44832
The vulnerability CVE-2021-44832 is a remote code execution (RCE) vulnerability in Apache Log4j 2.0.1 through 2.17.0 that can be exploited if the attacker has permission to modify the log4j2.xml file to use a JDBC Appender. Exposure to this vulnerability is limited to users who can modify the SymmetricDS installation.

Affected Versions

The following SymmetricDS releases are affected by CVE-2021-44228 and have a fixed version available that includes Log4j 2.15.0:

Product Vulnerable Version Fixed Version
SymmetricDS 3.12.0 - 3.12.12 3.12.13
SymmetricDS 3.13.0 3.13.1

The following SymmetricDS releases are affected by CVE-2021-45046 and CVE-2021-45105, and they have a fixed version available that includes Log4j 2.17.0:

Product Vulnerable Version Fixed Version
SymmetricDS 3.12.0 - 3.12.13 3.12.14
SymmetricDS 3.13.0 - 3.13.1 3.13.2

The following SymmetricDS releases are affected by CVE-2021-44832 and have a fixed version that includes Log4j 2.17.1:

Product Vulnerable Version Fixed Version
SymmetricDS 3.12.0 - 3.12.14 3.12.15
SymmetricDS 3.13.0 - 3.13.2 3.13.3

Mitigation

If upgrading immediately is not an option, the vulnerable feature in Log4J can be disabled to prevent exploitation, using any of the following options:

  • Set the Java system property: log4j2.formatMsgNoLookups=true
  • Set the environment variable: LOG4J_FORMAT_MSG_NO_LOOKUPS=true
  • Remove the vulnerable class: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Mitigation with SymmetricDS Service

When running SymmetricDS as a Windows service or Unix daemon, the vulnerable Log4J feature can be disabled by adding the following line to the conf/sym_service.conf file.

wrapper.java.additional=-Dlog4j2.formatMsgNoLookups=true

Mitigation with Apache Tomcat

When running SymmetricDS as a web application in Apache Tomcat, the vulnerable Log4J feature can be disabled by modifying the setenv.bat (Windows) or setenv.sh (Unix) file:

export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true -Danothervariable=value"

Properties ID: 000049   Views: 1427   Updated: 3 years ago
Filed under: