i just checked our EJBCA installations for the remote code execution vulnerability CVE-2021-44228 that was discovered in the last days in log4j (v2.0 to 2.14.1).
It looks like, EJBCA is still using version 1.2.17 of log4j, so it shouldn't be affected by this vulnerability. However, there is a known vulnerability in 1.2.17, too: CVE-2019-17571.
This shouldn't be an issue because the SocketAppender isn't used in EJBCA's default logging configuration (and we didn't modified the configuration). Can you confirm this?
And a last question: Are there any plans to update the log4j dependency in a future EJBCA release (log4j 1.x is EOL and CVE-2019-17571 won't be fixed)?
Thanks in advance.
Last edit: Frank Schierle 2021-12-13
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
EJBCA is not vulnerable to the older CVEs for Log4j1.2 either. Not vulnerable due to the usage, but on top of that we have patched log4j jar used in EJBCA removing the vulnerable classes.
EJBCA (server) uses JBoss/WlldFly, where the actual logging takes place. Log4j is an API, and RedHat JBoss/WildFly provides their own implementation of the Log4j API, which is also not vulnerable.
Regards,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
i just checked our EJBCA installations for the remote code execution vulnerability CVE-2021-44228 that was discovered in the last days in log4j (v2.0 to 2.14.1).
It looks like, EJBCA is still using version 1.2.17 of log4j, so it shouldn't be affected by this vulnerability. However, there is a known vulnerability in 1.2.17, too: CVE-2019-17571.
This shouldn't be an issue because the SocketAppender isn't used in EJBCA's default logging configuration (and we didn't modified the configuration). Can you confirm this?
And a last question: Are there any plans to update the log4j dependency in a future EJBCA release (log4j 1.x is EOL and CVE-2019-17571 won't be fixed)?
Thanks in advance.
Last edit: Frank Schierle 2021-12-13
Hi,
EJBCA is not vulnerable to the older CVEs for Log4j1.2 either. Not vulnerable due to the usage, but on top of that we have patched log4j jar used in EJBCA removing the vulnerable classes.
EJBCA (server) uses JBoss/WlldFly, where the actual logging takes place. Log4j is an API, and RedHat JBoss/WildFly provides their own implementation of the Log4j API, which is also not vulnerable.
Regards,
Tomas
Hi Tomas,
great news! Thanks for your help!
Regards,
Frank
Hi!
What about JMSAppender.class https://access.redhat.com/security/cve/CVE-2021-4104
Regards,
Alo
EJBCA is still not vulnerable.
We have anyhow removed that class from the jar used by EJBCA for the next release, just to easily prove it.
You can find updated log4j here.
https://github.com/Keyfactor/ejbca-ce