Pentaho

 View Only
Expand all | Collapse all

log4j security compliance -- CVE-2021-44228

  • 1.  log4j security compliance -- CVE-2021-44228

    Posted 12-10-2021 15:54
    There's a questionably large RCE exploit announced today (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) that may or may not impact pdi.  The more I read about it, the more obvious it becomes that this is a way larger issue than we (as of this writing) understand.

    pdi-ce 9.2 still uses a log4j jar from 2012 that hit EOL in 2015.  1.x versions aren't even tested for security compliance by the log4j team anymore (you know, because EOL...) and they urge anyone using log4j to update to 2 in order to receive security updates.


  • 2.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-11-2021 12:13
    If it's affected, will Community Edition been patched?

    ------------------------------
    WEN JING
    IT Support Manager
    NCS Pte Ltd
    ------------------------------



  • 3.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-13-2021 05:06
    Hello

    Keep an eye on the knowledge base article below:
    https://knowledge.hitachivantara.com/Support_Information/Hitachi_Vantara_Security_Advisories/CVE-2021-44228_-_Apache_Log4j2

    Regards
    William

    ------------------------------
    William Jansen van Nieuwenhuizen
    Hitachi Vantara
    ------------------------------



  • 4.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-13-2021 06:29
    You do not have permission to view this page.
    :-(

    Any chance of reposting the content here?

    ------------------------------
    Matt Kynaston
    Chief Technology Officer
    Claritum Ltd
    ------------------------------



  • 5.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-13-2021 08:10

    Hey William,

    We use community edition of PDI and knowledgebase article you have linked is not accessible.

    Can you please give access to this article you have linked or post the updates in this thread?

    Thanks,
    Suyash



    ------------------------------
    Suyash Shrivastava
    Systems Engineer
    Decimal Point Analytics
    ------------------------------



  • 6.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-13-2021 09:51

    same to me.

    there is no access on the page

    Please help



    ------------------------------
    Volker Buchholz
    Application Services Manager
    UB Volker Buchholz
    ------------------------------



  • 7.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-13-2021 10:56
    Hello William,

    would be great to get access to the mentioned knowledge base article.

    We're using community edition too and would like to get some informations about how pentaho is affected from the security issue.

    Thanks in advance!

    Best regards
    Frederic

    ------------------------------
    Frederic Biermann
    Systems Engineer
    11880 Internet Services AG
    ------------------------------



  • 8.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-14-2021 08:55
    Hi @William Jansen van Nieuwenhuizen we still struggling to get access to the KB but according what I have read from SOC sources older log4j 1.2.x versions aren't affected only log4j2 versions 2.0-beta9 up to 2.14.1 are affected.

    Although Log4j v1.2.x has its own vulnerabilities and EOL.






    ​​

    ------------------------------
    Brendan Gilbert
    IT Support Manager
    AHRI
    ------------------------------



  • 9.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-14-2021 12:34
    I do agree that there is a 2.8.2 version in pax-logging-log4j2-1.10.2.jar file.  I did not catch this at first.  Unfortunately, our security team requires us to have an officially supported fix from the vendor.  Any update would be appreciated.  We are going to have to un-install our Pentaho product unless we can get some guidance soon.

    Also, I would like to follow the knowledge article linked in this thread, but trying to navigate to it results in the same message Brendan Gilbert was receiving...an error stating "you do not have permission to view this page".

    EDIT: looks like I replied to the wrong post, which placed this one out of order.  My apologies, I would fix it if I knew how.

    ------------------------------
    Wesley Massaker
    HelpDesk Support
    FitzMark Inc
    ------------------------------



  • 10.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-24-2021 04:57
    I hope everybody that's been looking for the information has seen that the link is now available publicly without login regarding the affected products and the patches that fix them.
    https://knowledge.hitachivantara.com/Support_Information/Hitachi_Vantara_Security_Advisories/Security_Vulnerabilities_in_Apache_Log4j_Library_(CVE-2021-44228%2C_CVE-2021-45046%2C_and_CVE-2021-45105)
    ------------------------------
    William Jansen van Nieuwenhuizen
    Hitachi Vantara
    ------------------------------



  • 11.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-13-2021 17:18

    We are also using community edition (9.1), but from everything I can tell, the original poster is correct in that Pentaho uses 1.x version, which I don't believe is affected by this weekend's log4j vulnerability.  I read up a little on it (not an expert on this btw), and I could not find the classes referenced in that vulnerability.  Here's what I was going from when trying to troubleshoot...

    https://www.socinvestigation.com/apache-log4j-vulnerability-detection-and-mitigation/

    However, 1.x is no longer supported and apparently has it's own vulnerability that was never patched up due to EOL, so I guess the question is how do we move Pentaho up to log4j2 v2.15?  



    ------------------------------
    Wesley Massaker
    HelpDesk Support
    FitzMark Inc
    ------------------------------



  • 12.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-13-2021 17:33
    I'm on Pentaho BI server 9.1. This ships log4j 2.8.2 hidden in pentaho-solutions/system/karaf/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.2/pax-logging-log4j2-1.10.2.jar.

    I have no idea where that might be used, but the only mitigation I can find is to remove 
    JndiLookup.class from the jar (naturally you'll want to backup and test before rolling it out):

    zip -q -d \
    pentaho-solutions/system/karaf/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.2/pax-logging-log4j2-1.10.2.jar \
    org/apache/logging/log4j/core/lookup/JndiLookup.class



    ------------------------------
    Matt Kynaston
    Chief Technology Officer
    Claritum Ltd
    ------------------------------



  • 13.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-14-2021 14:55

    so far I found this https://support.pentaho.com/hc/en-us/articles/4416229254541-log4j-2-zero-day-vulnerability-CVE-2021-44228-  

    on pentaho site regarding log4j-2 vulnerability



    ------------------------------
    Dhruvesh Patel
    Data Service Manager
    Graham Capital
    ------------------------------



  • 14.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-15-2021 05:46

    We have now a scanner for log4j in the company.

    It has found these locations in PDI 9.2 Community Edition:

    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\apache-log4j-extras-1.2.17.jar contains Log4J-1.x 1.2.17 __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\apache-log4j-extras-1.2.17.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\kettle-log4j-core-9.2.0.0-290.jar contains Log4J-2.x 9.2.0.0-290 __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\log4j-1.2.17.jar contains Log4J-1.x 1.2.17 __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\log4j-1.2.17.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\log4jdbc-1.2.jar contains Log4J-1.x 1.2 __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\slf4j-log4j12-1.7.12.jar contains Log4J-1.x 1.7.12 __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\plugins\elasticsearch-bulk-insert-plugin\lib\log4j-api-2.11.1.jar contains Log4J-2.x 2.11.1 __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle243\version0.0\bundle.jar contains Log4J-2.x 9.2.0.0-290 __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle6\version0.0\bundle.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle7\version0.0\bundle.jar contains Log4J-2.x 2.8.2 __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle7\version0.0\bundle.jar contains Log4J-2.x 2.8.2 __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle7\version0.0\bundle.jar contains Log4J-1.x 1.10.2 __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle7\version0.0\bundle.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\tmp\8ddfb285-kettle-log4j-core-9.2.0.0-290.jar contains Log4J-2.x 9.2.0.0-290 __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\hitachivantara\pax-logging-api-wrap\1.10.2\pax-logging-api-wrap-1.10.2.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-api\1.10.2\pax-logging-api-1.10.2.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-log4j2\1.10.2\pax-logging-log4j2-1.10.2.jar contains Log4J-2.x 2.8.2 __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-log4j2\1.10.2\pax-logging-log4j2-1.10.2.jar contains Log4J-2.x 2.8.2 __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-log4j2\1.10.2\pax-logging-log4j2-1.10.2.jar contains Log4J-1.x 1.10.2 __END_OF_LIFE_VERSION__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-log4j2\1.10.2\pax-logging-log4j2-1.10.2.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) __VULNERABLE__
    D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\pentaho\di\plugins\kettle-log4j-core\9.2.0.0-290\kettle-log4j-core-9.2.0.0-290.jar contains Log4J-2.x 9.2.0.0-290 __VULNERABLE__


    ------------------------------
    Martin Rupp
    Service Administrator
    Siemens AG
    ------------------------------



  • 15.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-15-2021 07:18
    Does Spoon uses those .jars internally for logging? I created a job, some task where logging is not enabled. Still, when I delete the .jar from the folder/s  - Spoon wont start.

    I assume it must be used within Spoon then? I also asume it's not possible to simple exchange the .jar with a 2.15.x .jar?

    ------------------------------
    Daniel Michael Lozynski
    Product Manager
    DB Systel GmbH
    ------------------------------



  • 16.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-15-2021 11:56

    I don't know if spoon uses all of this log4j libraries. But this is not important.

    The management don't want that log4j libs < version 2.16 are present.

    Log4j 2 is not compatible to log4j 1.

    But there is a mode to simulate log4j 1 with some constraints and risks.

    https://logging.apache.org/log4j/2.x/manual/compatibility.html

    Unfortunately the scan process finds also files which are only bridges to log4j!

    E.g.: http://www.slf4j.org/legacy.html



    ------------------------------
    Martin Rupp
    Service Administrator
    Siemens AG
    ------------------------------



  • 17.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-15-2021 15:17
    Martin - good catch with the stuff under system/karaf/caches. I'd scanned a clean build so it wasn't picking those up. For anyone updating things in-place, you'll definitely want to remove that caches directory or you'll still have vulnerable versions of the library in use. The caches directory will get recreated on next startup.

    I can't find any evidence of a bundled log4j (any version) in kettle-log4j-core in my build (9.1.0.8), and the classes there seem to depend on log4j-1.2.17. Out of interest, what tool are you using for scanning? I've been using the one from lunasec: https://github.com/lunasec-io/lunasec/releases/

    ------------------------------
    Matt Kynaston
    Chief Technology Officer
    Claritum Ltd
    ------------------------------



  • 18.  RE: log4j security compliance -- CVE-2021-44228

    Posted 12-16-2021 03:45

    Matt - my colleagues have created the scanner. 

    Log4j 1.x had reached end of life! It is a very old lib with many security issues. 

    (e.g.: https://www.cvedetails.com/cve/CVE-2019-17571/)

    Acc. to the German BSI report log4j 1.x must also be replaced by log4j 2.16 (not simple to do it, because software which uses the lib must be changed, too! Issues also with embedded/bundled versions.)

    See: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=4



    ------------------------------
    Martin Rupp
    Service Administrator
    Siemens AG
    ------------------------------