Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk log4j version 1.2
chainsaw vulnerability - limited exposure in EGI - CVE-2022-23307
[EGI-SVG-CVE-2022-23307]
Date: 2022-01-28
Updated: 2022-02-02, 2022-02-08
Affected software and risk
==========================
'CRITICAL' risk vulnerability concerning the chainsaw component in log4j 1.2
Package : log4j 1.2
CVE ID : CVE-2022-23307
A critical vulnerability has been announced in the chainsaw component of
log4j 1.2. [R 1], [R 2]. The chainsaw component if used to ingest logs can
be tricked into running code injected into those logs.
This old version (out of support since 2015) is used on the PerfSonar nodes,
but the EGI SVG is not aware of any usage of the chainsaw component in EGI
to ingest logs.
**UPDATE 2022-02-02 **
More information/corrections concerning PerfSonar, dCache, and RedHat
Actions required/recommended
============================
Any site using log4j 1.2 is recommended to either update to a recent
non-vulnerable version of log4j or to disable the chainsaw component.
Component installation information
==================================
No Patch is available for log4j 1.2, which has been out of support since
2015 [R 1]
Sites may upgrade to the most recent version of log4j if it is possible.
Mitigation
==========
**UPDATE 2022-02-02 **
Chainsaw should not be used to view logs.
chainsaw may be removed where the version of log4j from apache is installed using
zip -q -d log4j-*.jar org/apache/log4j/chainsaw/* [R 4]
For PerfSonar, where log4j is part of the cassandra distribution:--
Where chainsaw is installed but not used apply the mitigation [R 3]
zip -q -d /usr/share/cassandra/lib/log4j*.jar org/apache/log4j/chainsaw/*
systemctl restart cassandra
A new esmond RPM (4.4.2-2) has been uploaded that should do the equivalent of
this command in [R 3]. Sites running auto-updates should get the change shortly,
otherwise a “yum update esmond” will get the new package.
For dCache:--
The dCache team has already contacted sites.
dCache admins have the following options:
- if then run embedded zookeeper: just ignore the advisory
- if they use dcache.org provided zookeeper rpm - update rpms
- if they use tarball packages from apache either apply fix manually
or switch to rpms provided by dCache
More information
================
From [R 1] the extent to which this vulnerability is likely to be a problem
for EGI is limited, but the EGI SVG cannot rule out other uses.
One Site has tested disabling chainsaw on a PerfSonar node and no problems
were found.
**UPDATE 2022-02-02**
More information concerning RedHat is available at [R 4]
EGI SVG is not aware of any site actually using chainsaw, but as a precaution
sites where log4j-1* is installed should disable chainsaw.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2022-23307
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 99].
Note that this is undergoing revision.
References
==========
[R 1] https://logging.apache.org/log4j/1.2/
[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307
[R 3] https://lists.internet2.edu/sympa/arc/perfsonar-user/2022-01/msg00019.html
[R 4] https://access.redhat.com/security/cve/CVE-2022-23307
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by David Crooks
Timeline
========
Yyyy-mm-dd [EGI-SVG-2022-CVE-2022-23307]
2022-01-24 SVG alerted to this issue by David Crooks
2022-01-24 Acknowledgement from the EGI SVG to the reporter
2022-01-24 Investigation of vulnerability and relevance to EGI carried out, including testing that the mitigation
2022-01-26 EGI SVG Risk Assessment completed
2022-01-28 Advisory sent to sites
2022-02-02 Advisory updated
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,