Shinydrive
Shinydrive
Breadcrumbs

Shinydocs Response to Apache Log4j Vulnerabilities

Purpose

This article identifies Apache Log4j vulnerabilities that may affect Shinydrive customers and the steps we recommend to mitigate the security risks. These vulnerabilities include:

  • CVE-2021-45105

  • CVE-2021-45046

  • CVE-2021-44248

  • CVE-2019-17571

Updates

May 10, 2023

  • After each and any deployment of sd-csws.war we recommend the manual removal the file log4j-1.2.14.jar, which is deployed to the Apache Tomcat webapps folder, sd-csws\WEB-INF\lib. Removing this file removes the vulnerability. It is not required for normal operation of Shinydrive Server.

  • Shinydocs removed the log4j-1.2.17.jar file from the shinydrive-server.war file. No action is required.

April 11, 2023

  • Shinydocs identified two dependency files as part of vulnerability CVE-2019-17571, in the Shinydrive 2.5.2 server. We recommend removing the following files:

    • log4j-1.2.14.jar

    • log4j-1.2.17.jar

January 6, 2022

  • Shinydocs is working on releasing updates for Shinydrive Server and Shinydocs Indexer that contains Log4J 2.17 (which resolves these vulnerabilities). Until those updates are released, please follow this guide to mitigate against the vulnerability. We will update this page when the releases have been published. Thank you for your understanding.

sd-csws was previously listed as a component that was affected by the recent log4j vulnerabilities. sd-csws is not affected by these vulnerabilities.

December 21, 2021

  • Added a table view of the known vulnerabilities and the products using Log4j

  • Added CVE-2021-45105 to the list of vulnerabilities, though no Shinydocs products are affected

  • As these vulnerabilities have been discovered and documented, our recommendation to our customers is to remove JndiLookup.class from log4j-core-<version>.jar to mitigate against CVE-2021-45046 and CVE-2021-44228

CVE Vulnerabilities

The products impacted

Disclaimer

You may be susceptible if you have modified any Log4j logging settings within these applications.

- This product is NOT affected by the vulnerability

- This IS affected by the vulnerability

CVE Vulnerability

Shinydrive Server

Shinydocs Indexer (Elasticsearch)

Shinydocs Visualizer (Kibana)

Recommended Action

Additional Notes

CVE-2019-17571

Remove log4j-1.2.14.jar and log4j-1.2.17.jar

Removing these dependencies should not affect the logging process on Shinydrive, as they were part of an older build of Shinydrive

CVE-2021-44228

Remove JndiLookup.class from
log4j-core-<version>.jar


CVE-2021-45046

Remove JndiLookup.class from
log4j-core-<version>.jar


CVE-2021-45105

No action is required.

Note: If you have modified any of the listed product's Log4j settings (ex. Pattern Layout), you may be affected. Review your custom modifications to ensure you are not affected by this vulnerability.

This vulnerability only affects code that uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}). Shinydrive server does not use Context Lookups and is unaffected. Elastic has confirmed that Elasticsearch is also not affected by this vulnerability. For more details read the Elastic Security Announcement about Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31.

Actioning the Vulnerabilities

CVE-2019-17571 (Apr 11, 2023)

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data, which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.

Removing log4j-1.2.14.jar and log4j-1.2.17.jar from Shinydrive Server

  1. Run Services.msc

  2. Stop the Apache Tomcat services

  3. Navigate to the the webapps folder found in the Tomcat directory (for example, C:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps)

  4. From the webapps folder, continue to navigate to sd-csws\WEB-INF\lib

  5. Locate and delete log4j-1.2.14.jar

  6. Navigate back to the webapps folder

  7. From the webapps folder, navigate to shinydrive-server\WEB-INF\lib

  8. Locate and delete log4j-1.2.17.jar

  9. Restart the Apache Tomcat services

CVE-2021-44228, CVE-2021-45046 (Dec 15, 2022)

A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted Shinydocs products.

Our recommendation is to remove the JndiLookup class from the log4j-core jar. There are many methods to help perform this action, such as using 7zip or command line. Please use which method is appropriate to your environment. The below methods will use 7zip as the preferred tool.

Refer to Apache Log4j Security Vulnerabilities for more information.

Removing JndiLookup.class from Shinydrive Server

  1. Run Services.msc

  2. Locate and stop the Apache Tomcat services

  3. Navigate to the the webapps folder found in the Tomcat directory (for example, C:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps)

  4. Locate the shinydrive-server folder

  5. Delete the shinydrive-server folder

  6. Also in the webapps folder, locate a file called shinydrive-server.war

  7. Right-click the file shinydrive-server.war and select Open archive in 7-Zip

  8. From the archive displaying in 7-Zip, navigate to WEB-INF\lib\

  9. Locate the log4j-core-<version>.jar file

  10. Right click on the log4j-core-<version>.jar file and select Open Inside

  11. Navigate to org\apache\logging\log4j\core\lookup\

  12. Locate the JndiLookup.class file

  13. Select the JndiLookup.class file and press Delete

  14. Click OK on the confirmation screen

  15. Close the 7-Zip archive window

  16. If prompted to update the log4j-core-<version>.jar file due to modification, click OK

  17. Restart the Apache Tomcat services

  18. Shortly after restarting the Tomcat services, you should see the shinydrive-server folder reappear

Removing JndiLookup.class from Shinydocs Indexer

  1. Run Services.msc

  2. Locate and stop the shinydocs-indexer services

  3. If the shinydocs-visualizer service is installed, it will automatically stop also

  4. Navigate to the the lib folder of the Indexer (for example, C:\Shinydocs\indexer\lib)

  5. Locate log4j-core-<version>.jar

  6. Right-click the file log4j-core-2.x.x.jar and select Open archive in 7-Zip

  7. From the archive displaying in 7-Zip, navigate to org\apache\logging\log4j\core\lookup\

  8. Locate the JndiLookup.class file

  9. Select the JndiLookup.class file and press Delete

  10. Click OK on the confirmation screen

  11. Close the 7-Zip archive window

  12. If prompted to update the log4j-core-<version>.jar file due to modification, click OK

  13. Restart the shinydocs-indexer services

  14. (if applicable) Restart the shinydocs-visualizer services