[Exist-open] URGENT: Log4j 2.15.0 still affected by RCE

[Juri L. <ju...@ex...>]

This also to the recently released versions of eXist-DB (5.3.1 and 4.8.0).

It is good advise to do one of the following:

*1. Upgrade to log4j 2.16.0*

- navigate to the exist home directory of your instance
- remove all files whose names match log4j-*.jar in the lib directory (5 in
total)

rm lib/log4j-*.jar

- replace them with their version 2.16.0 equivalent

You can download them one by one

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.16.0/log4j-jul-2.16.0.jar
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jcl/2.16.0/log4j-jcl-2.16.0.jar
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/log4j-core-2.16.0.jar
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.16.0/log4j-slf4j-impl-2.16.0.jar

Or bundled https://logging.apache.org/log4j/2.x/download.html

Adjust <version> and <relativePath> for those 5 dependencies in
etc/client.xml, etc/startup.xml and etc/launcher.xml

Here is an example

      <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-api</artifactId>
        <version>2.16.0</version>
        <relativePath>log4j-api-2.16.0.jar</relativePath>
      </dependency>

- restart existdb



Or *2. Remove the JNDI lookup class *

- Navigate to your exist home folder
- run

zip -q -d lib/log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class

- restart your existdb instance

Sources:

JNDI Localhost bypass
https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/#update-the-localhost-bypass-was-discovered



Stay safe,
Juri