0-day security issue in DavMail via Log4j
Brought to you by:
mguessan
Menu
▾
▴
#400 0-day security issue in DavMail via Log4j
Hello,
there is a serious security issue in the Java module Log4j, which seems to be used in DavMail:
https://logging.apache.org/log4j/2.x/security.html
Apparently, one can trick the module to download and execute malicious software.
DavMail seems to use the module, at least I find a log4j-1.2.16.jar in the libs subdirectory. The security bulletin mentions upgrading to the current version 2.15.0, but the version 1.x is long out of support and they didn't even check, whether this security hole is in it or not.
Can we simply remove the log4j-1.2.16.jar and copy the current version in it's place?
Would it help to disable logging as a workaround?
Sincerly
Markus
Here is a link for the migration guide Log4j v1 -> v2
https://logging.apache.org/log4j/2.x/manual/migration.html
Another workaround / HotFix:
For users that can’t upgrade, another option is to set the log4j2.formatMsgNoLookups system property to true. For example, you can start your app using java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar.
Last edit: Joern Koerner 2021-12-13
Hi,
I tried to replace Log4j v1 with current v2 following the instructions in the link you gave:
https://logging.apache.org/log4j/2.x/manual/migration.html
Unfortunately, this does not work: According to the website, log4j-1.2-api.jar does not support "certain methods and classes internal to the Log4j 1.x implementation, such as Appenders ..."
Unfortunately, davmail seems to use the fileAppender and it's hardcoded in the source: https://github.com/mguessan/davmail/blob/master/src/java/davmail/Settings.java#L302
DavMail uses the framework SLJ4J (http://www.slf4j.org), so in theory we could switch out log4j v1 with log4j v2, but unfortunately this new class also does not support "Appenders" from log4j v1.
The only solution would be to use change the sourcecode to not use Appenders anymore and/or to use log4j v2 directly.
Please do not leave log4j v1 in the distribution. While it does not have the same security issue like v2 had, it has a very similar one, which will never be fixed, since v1 is out of support since August 2015 (https://access.redhat.com/security/cve/CVE-2021-4104)! There might be other yet unknown security issues, in v1.2, which will never be fixed.
Please, change DavMail to use a current and supported logging framework.
Greetings
Markus Borst
Hi,
I haven't heard anything from you for a full week. Please treat this as a serious security issue: DavMail uses an outdated class with at least one major security hole.
In our installation I'm being pressured to get rid of DavMail as a whole, which would leave some of our users without access to calendars. I'm guessing similar discussions happen in other institutions using DavMail.
Could you at least acknowledge the problem and give an estimate when the outdated log4j class will be replaced?
Greetings
Markus Borst
Ok so first DavMail is not vulnerable to Log4Shell as it is depends on Log4J 1.
Log4J 1 and Log4J 2 are completely different projects and do not share the same codebase.
In addition, given the fundamental design flaws revealed in Log4J 2, I will definitely not migrate DavMail code to it.
On the Log4J1 side, DavMail is not vulnerable to CVE-2019-17571 CVE-2021-4104 as the impacted classes are not used by DavMail.
However as an additional security measure I added a step in the packaging process to remove
JMSAppender, SMTPAppender and SocketServer from released binaries.