Mitigating Log4J 2 Vulnerability CVE 2021 44228
important
WMO (WaveMaker Online) Users
Updated on 24-Jan-2022
WaveMaker has released 10.11.1 on 24 Jan 2021, updating Log4j2 dependency, which mitigates against the vulnerability CVE-2021-44832. For more information about the release, see WaveMaker 10.11.1.
- Log4j2 upgraded to 2.17.1
Updated on 23-Dec-2021
WMO (WaveMaker Online) has released 10.10.3 on 23 Dec 2021, updating Log4j2 dependency, which mitigates against the vulnerability CVE-2021-45105. For more information about the release, see WaveMaker 10.10.3.
- Log4j2 upgraded to 2.17.0
Updated on 16-Dec-2021
WMO (WaveMaker Online) has released 10.10.2 on 16 Dec 2021, updating Spring and Log4j2 dependencies, which mitigates against vulnerabilities CVE-2021-44228 and CVE-2021-22096. For more information about the release, see WaveMaker 10.10.2.
- Log4j2 upgraded to 2.16.0
- Spring Framework upgraded to 5.3.13
Action items
If you are a WaveMaker Online (WMO) user and have already mitigated risk by adding Log4j2 dependencies to 2.15.0 or 2.16.0 or 2.17.0, you need to undo those changes from the
<dependencies>section inpom.xml.Also, there is no need to add the System property or Environment variable in the deployment section if you redeploy with the latest project build.
caution
WME (WaveMaker Enterprise) Users
WaveMaker Enterprise users should continue to follow the risk mitigation provided in this blog.
A zero-day vulnerability is an unintentional software security flaw identified in the application, poses a zero-day threat.
A new zero-day vulnerability was reported in the Log4j2 library on 9th Dec 2021, affecting the library versions >=2.0-beta9 and <=2.14. It has the potential to allow an attacker to execute the code remotely. Log4j has provided the fix by releasing the 2.15.0 version on the same day. Plus, Log4j has released a newer 2.17.0 version, which is available for production now. For more information, see LOG4J changes report.
Is WaveMaker Application Affected?
WaveMaker applications that depend on Log4j2 2.14.1 (WM 10.10.1) or lower versions are at risk of the zero-day vulnerability.
Risk Mitigation
There are two ways to mitigate the risk before the planned hotfix release.
Maven: Upgrade the Log4j2 Version Manually
Add the latest version of Log4j2 2.17.0 dependencies in the <dependencies> section, and NOT under the <dependencyManagement> section in your project's pom.xml file.
note
Since this mitigation needs a change in the project, the application must be rebuilt and redeployed.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.0</version>
</dependency>
System Properties: Disable Lookups in Log4j2
Set either the System Property log4j2.formatMsgNoLookups or Environment Variable LOG4J_FORMAT_MSG_NO_LOOKUPS to True. This mitigation does not need rebuilding of the war file. Tomcat or any web application server where the WaveMaker application is running needs to be set to one of the above-mentioned properties and restarted.
note
This mitigation is required in the runtime environment; therefore, there is no need to rebuild the application. Restarting the Tomcat or Web server would be enough.
Examples for Apache Tomcat
Follow the below-specified changes to set the System property and System environment variable.
Unix and Mac Systems
Add the below in the setenv.sh file of the Tomcat bin folder.
- The following adds a System property.
export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true”
- The following add an Environment variable.
export LOG4J_FORMAT_MSG_NO_LOOKUPS=true
Windows System
Add the below in the setenv.bat file of the Tomcat bin folder.
- The following adds a System property.
set JAVA_OPTS="%JAVA_OPTS% -Dlog4j2.formatMsgNoLookups=true”
- The following adds an Environment variable.
set LOG4J_FORMAT_MSG_NO_LOOKUPS=true