EGI SVG Advisories

Advisory-SVG-CVE-2021-44228

Title:   EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk - Log4j 
        RCE vulnerability CVE-2021-44228. [EGI-SVG-CVE-2021-44228]
        
Date:    2021-12-10
Updated: 2021-12-15, 2022-01-07

Affected software and risk
==========================

CRITICAL risk vulnerability concerning Log4j

Package : log4j
CVE ID : CVE-2021-44228

A flaw was found in the Java logging library Apache Log4j 2 which could allow 
a remote attacker to execute code on the server if the system logs an attacker 
controlled string value. [R 1], [R 2]

Note that this is true for clients using log4j as well as services.

Some advisories from different providers are collected here [R 3]

This vulnerability is being actively exploited

Exploits are available on the internet  [R 4], [R 5], [R 6] 


Affected Services
=================

We have checked the products in the EGI UMD and so far found none of them 
to be affected.  

In particular, to the best of our knowledge, the following services/software 
are NOT affected:  

- Argus 
- dCache 
- INDIGO IAM 
- StoRM WebDAV 
- VOMS-Admin 
- CREAM

The perfSONAR Lookup Service is affected and private instances should thus be 
patched ASAP [R 15]. Sites typically are using the global instance, though, 
which has already been patched.

Investigations are continuing as to the impact of this vulnerability 
on EGI and EOSC.

Actions required
================

At present we are still investigating which services are affected, and which 
actions sites would be required to take.

Sites are required to take mitigating action if they are aware that they are 
running the Java logging library Apache Log4j.

Sites should be reminded that if anyone becomes aware of any site or service 
where this (or any other vulnerability) has been exploited, the EGI CSIRT 
must be informed according to the procedure at [R 7]

Please inform EGI SVG if you become aware of any service in EGI which is 
vulnerable to this log4j vulnerability by e-mail to svg-rat at mailman.egi.eu

Affected services must at _least_ not be exposed to the internet.


Component installation information
==================================


Mitigation
==========

Limited and temporary mitigation might be available, see [R 8], [R 9] for details. 

Affected software details
=========================

Any java-based web service that uses log4j for its logging is potentially vulnerable. 
At this point we do not have a full list of services.

**UPDATE 2022-01-07** 

The fix in version 2.16 was also found to be incomplete.  

Those running Java 8 should update to Log4j 2.17.1.

Those running Java 7 should update to Log4j 2.12.4

Those running Java 6 should update to Log4j 2.3.2.

See [R 2] 

A general list of software which may be vulnerable is available at [R 11], [R 12]

More information
================

See [R 1], [R 13], [R 14]

Updates will be made when more information is available, or any more specific 
actions are required within EGI. 

TLP and URL
===========

** WHITE information - Unlimited distribution
 - see https://go.egi.eu/tlp for
   distribution restrictions **
   
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2021-44228

Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]

References
==========
[R 1] https://www.lunasec.io/docs/blog/log4j-zero-day/

[R 2] https://logging.apache.org/log4j/2.x/security.html

[R 3] https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

[R 4] https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6

[R 5] https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

[R 6] https://github.com/YfryTchsGD/Log4jAttackSurface

[R 7] https://confluence.egi.eu/display/EGIPP/SEC01+EGI+CSIRT+Security+Incident+Handling+Procedure

[R 8] https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation 

[R 9] https://access.redhat.com/security/cve/CVE-2021-44228

[R 10] https://www.cve.org/CVERecord?id=CVE-2021-45046

[R 11] https://github.com/NCSC-NL/log4shell/tree/main/software  

[R 12] https://github.com/YfryTchsGD/Log4jAttackSurface

[R 13] https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

[R 14] https://github.com/NorthwaveSecurity/log4jcheck

[R 15] https://github.com/esnet/simple-lookup-service/wiki/Apache-log4j-Remote-Code-Execution-vulnerability

[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867

Credit
======
SVG was alerted to this vulnerability by Baptiste Grenier.

Timeline
========

Yyyy-mm-dd [EGI-SVG-CVE-2021-44228]

2021-12-10 Vulnerability reported by Baptiste Grenier
2021-12-10 Acknowledgement from the EGI SVG to the reporter
2021-12-10 EGI SVG Risk Assessment completed
2021-12-10 'HEADS UP' sent to sites
2021-12-16 Update sent to sites
2022-01-07 Further update sent to sites

Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------


On behalf of the EGI SVG,