Shinydocs Response to Apache Log4j Vulnerabilities
Purpose
This article identifies Apache Log4j vulnerabilities that may affect Shinydrive customers and the steps we recommend to mitigate the security risks. These vulnerabilities include:
CVE-2021-45105
CVE-2021-45046
CVE-2021-44248
CVE-2019-17571
Updates
May 10, 2023
After each and any deployment of sd-csws.war we recommend the manual removal the file log4j-1.2.14.jar, which is deployed to the Apache Tomcat webapps folder, sd-csws\WEB-INF\lib. Removing this file removes the vulnerability. It is not required for normal operation of Shinydrive Server.
Shinydocs removed the log4j-1.2.17.jar file from the shinydrive-server.war file. No action is required.
April 11, 2023
Shinydocs identified two dependency files as part of vulnerability CVE-2019-17571, in the Shinydrive 2.5.2 server. We recommend removing the following files:
log4j-1.2.14.jar
log4j-1.2.17.jar
January 6, 2022
Shinydocs is working on releasing updates for Shinydrive Server and Shinydocs Indexer that contains Log4J 2.17 (which resolves these vulnerabilities). Until those updates are released, please follow this guide to mitigate against the vulnerability. We will update this page when the releases have been published. Thank you for your understanding.
sd-csws was previously listed as a component that was affected by the recent log4j vulnerabilities. sd-csws is not affected by these vulnerabilities.
December 21, 2021
Added a table view of the known vulnerabilities and the products using Log4j
Added CVE-2021-45105 to the list of vulnerabilities, though no Shinydocs products are affected
As these vulnerabilities have been discovered and documented, our recommendation to our customers is to remove
JndiLookup.class
fromlog4j-core-<version>.jar
to mitigate against CVE-2021-45046 and CVE-2021-44228
CVE Vulnerabilities
The products impacted
Disclaimer
You may be susceptible if you have modified any Log4j logging settings within these applications.
✔ - This product is NOT affected by the vulnerability
⚠ - This IS affected by the vulnerability
CVE Vulnerability | Shinydrive Server | Shinydocs Indexer (Elasticsearch) | Shinydocs Visualizer (Kibana) | Recommended Action | Additional Notes |
---|---|---|---|---|---|
⚠ | ✔ | ✔ | Remove | Removing these dependencies should not affect the logging process on Shinydrive, as they were part of an older build of Shinydrive | |
⚠ | ⚠ | ✔ | Remove | ||
⚠ | ⚠ | ✔ | Remove | ||
✔ | ✔ | ✔ | No action is required. Note: If you have modified any of the listed product's Log4j settings (ex. Pattern Layout), you may be affected. Review your custom modifications to ensure you are not affected by this vulnerability. | This vulnerability only affects code that uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}). Shinydrive server does not use Context Lookups and is unaffected. Elastic has confirmed that Elasticsearch is also not affected by this vulnerability. For more details read the Elastic Security Announcement about Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31. |
Actioning the Vulnerabilities
CVE-2019-17571 (Apr 11, 2023)
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data, which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
Removing log4j-1.2.14.jar and log4j-1.2.17.jar from Shinydrive Server
Run Services.msc
Stop the Apache Tomcat services
Navigate to the the webapps folder found in the Tomcat directory (for example, C:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps)
From the webapps folder, continue to navigate to sd-csws\WEB-INF\lib
Locate and delete
log4j-1.2.14.jar
Navigate back to the webapps folder
From the webapps folder, navigate to shinydrive-server\WEB-INF\lib
Locate and delete
log4j-1.2.17.jar
Restart the Apache Tomcat services
CVE-2021-44228, CVE-2021-45046 (Dec 15, 2022)
A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted Shinydocs products.
Our recommendation is to remove the JndiLookup
class from the log4j-core
jar. There are many methods to help perform this action, such as using 7zip or command line. Please use which method is appropriate to your environment. The below methods will use 7zip as the preferred tool.
Refer to Apache Log4j Security Vulnerabilities for more information.
Removing JndiLookup.class from Shinydrive Server
Run Services.msc
Locate and stop the Apache Tomcat services
Navigate to the the webapps folder found in the Tomcat directory (for example, C:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps)
Locate the shinydrive-server folder
Delete the shinydrive-server folder
Also in the webapps folder, locate a file called
shinydrive-server.war
Right-click the file
shinydrive-server.war
and select Open archive in 7-ZipFrom the archive displaying in 7-Zip, navigate to WEB-INF\lib\
Locate the
log4j-core-<version>.jar
fileRight click on the
log4j-core-<version>.jar
file and select Open InsideNavigate to org\apache\logging\log4j\core\lookup\
Locate the
JndiLookup.class
fileSelect the
JndiLookup.class
file and press DeleteClick OK on the confirmation screen
Close the 7-Zip archive window
If prompted to update the log4j-core-<version>.jar file due to modification, click OK
Restart the Apache Tomcat services
Shortly after restarting the Tomcat services, you should see the shinydrive-server folder reappear
Removing JndiLookup.class from Shinydocs Indexer
Run Services.msc
Locate and stop the shinydocs-indexer services
If the shinydocs-visualizer service is installed, it will automatically stop also
Navigate to the the lib folder of the Indexer (for example, C:\Shinydocs\indexer\lib)
Locate
log4j-core-<version>.jar
Right-click the file
log4j-core-2.x.x.jar
and select Open archive in 7-ZipFrom the archive displaying in 7-Zip, navigate to org\apache\logging\log4j\core\lookup\
Locate the
JndiLookup.class
fileSelect the
JndiLookup.class
file and press DeleteClick OK on the confirmation screen
Close the 7-Zip archive window
If prompted to update the log4j-core-<version>.jar file due to modification, click OK
Restart the shinydocs-indexer services
(if applicable) Restart the shinydocs-visualizer services