CVE-2021-44228 Log4j2 JNDI/LDAP vulnerability

Reguël Wermelinger

Throughout December 21 & January 22, various security vulnerabilities of the popular log4j2 logging library have been exposed.

A fixed version plus workarounds are available from log4j:security . However, here we explore the effects of these vulnerabilities onto the IvyEngine and how you can fix it.

The Axon Ivy Platform uses the vulnerable log4j library in two different scenarios:

Ivy-Core: our core components use log4j as their primary logging infrastructure
ElasticSearch: the bundled ElasticSearch server comes with it's own log4j libraries. Even though, the Ivy Engine does not provide a direct interface for end users to interact with the bundled ElasticSearch instance. Therefore, attacks to it's logging infrastructure are difficult to setup and have not yet been successfully reproduced.

Axon Ivy 7 LTS

Affects LTS 7.0.0 - 7.0.24: fixed with 7.0.27
Ivy-Core: 🧐 low risk -> uses Log4j1; check ivy-core JMS appender config or update to 7.0.27
ElasticSearch: ⚠️ vulnerable -> update log4j jars of ElasticSearch or update to 7.0.27

Axon Ivy 8 LTS + 9.1 LE

Affects LTS 8.0.0 - 8.0.20: fixed with 8.0.21+22+23+24
Ivy-Core: 🧐 low risk -> Log4j1; check ivy-core JMS appender config or update to 8.0.24
ElasticSearch: ⚠️ vulnerable -> update log4j jars of ElasticSearch or update to 8.0.24

Axon Ivy 9.2 LE + 9.3 LE

Affects LE 9.2.0 - 9.3.0: fixed with 9.3.1+9.3.2+9.3.3
Ivy-Core: ⛔ vulnerable -> configure ivy-core jvm.options or update to 9.3.3
ElasticSearch: ⚠️ vulnerable -> update log4j jars of ElasticSearch or update to 9.3.3

Older unsupported End-of-life versions

ivy-core:
- 4.x/5.x/6.x versions -> 🧐 low risk -> uses Log4j1; check ivy-core JMS appender config
- 3.9 unaffected -> not using log4j
ElasticSearch:
- 6.7.x: ⚠️ vulnerable -> update log4j jars of ElasticSearch
- 6.6.x/6.5.x/6.4.x/6.3.x: 🧐 low risk -> uses Log4j1; check for JMS appenders at elasticsearch/config/logging.yml
- 6.2.x/5.x/4.x/3.9: unaffected -> not containing ElasticSearch

Reguël Wermelinger

Ivy 8+9.X: Update Log4j libs of bundled ElasticSearch server

We recommend to replace the standard log4j libraries of ElasticSearch (2.11.1) with the secure latest release (2.17.1).

The vulnerable jars must be updated as follows:

Download the log4j jars:
- log4j-api-2.17.1.jar
- log4j-core-2.17.1.jar
Copy the log4j jars into the elasticsearch/lib directory of the IvyEngine7.
Remove or rename the existing log4j jars of version 2.11.1
Restart the IvyEngine

Reguël Wermelinger

Ivy 7: Update Log4j libs of bundled ElasticSearch server

We recommend to replace the standard log4j libraries of ElasticSearch (2.8.2) with the secure latest release (2.17.0).

The vulnerable jars must be updated as follows:

Download the log4j jars:
Copy the log4j jars into the elasticsearch/lib directory of the IvyEngine7.
Remove or rename the existing log4j libs of version 2.8.2
Restart the IvyEngine

Reguël Wermelinger

Ivy7+8+9.1: Log4j1 JMS Appender config for ivy-core loggers

LTS releases of the ivy-core are shipped with a default-configuration which is not vulnerable to any of the CVE-2021 mentioned in the intro post.

However, a user with write access to the configuration files of the Ivy-Engine may compromise a system: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
You may review the current configuration/log4jconfig.xml to be free of JMSAppender usages and verify that write file access to this file is protected.

Reguël Wermelinger

Ivy 9.2+9.3: Fix by configuring ivy-core jvm.options

We recommend to update to version 9.3.2: which is no longer vulnerable. If you can't do this currently, this entry explains how to patch log4j2 manually.

The latest Leading Edge releases use Log4j2 libraries as the main logging infrastructure for the ivy-core. Therefore, we not only the bundled ElasticSearch server must be updated, but the main engine configuration too. Here's how:

Update ivy-core config:

Update configurations/jvm.options of the IvyEngine with a text editor of your choice
Append the -Dlog4j2.formatMsgNoLookups=true on the end of the file
Save the jvm.options file with the changes

Update log4j config: or update log4j jars of ElasticSearch

Update elasticsearch/config/jvm.options of the IvyEngine with a text editor of your choice
Append the -Dlog4j2.formatMsgNoLookups=true on the end of the file
Save the jvm.options file with the changes

Reboot the IvyEngine

Reguël Wermelinger

Ivy 8: use the secure successor of Log4j1

We recommend to update to version 8.0.24: as it no longer contains log4j1 with it's popular vulnerabilities.
We migrated to use reload4j, which is the maintained drop-in replacement for log4j1.

You should not need to change anything in your code or logger configurations. As reload4j is a new fork based on the EOL log4j, not containing it's security flaws and vulnerable appenders.

To conclude: update to Axon Ivy 8.0.24 in order to work with secure and maintained successor of log4j1.
https://dev.axonivy.com/download

Reto Weiss

Ivy 7: use the secure successor of Log4j1

We recommend to update to version 7.0.27: as it no longer contains log4j1 with it's popular vulnerabilities.
We migrated to use reload4j, which is the maintained drop-in replacement for log4j1.

You should not need to change anything in your code or logger configurations. As reload4j is a new fork based on the EOL log4j, not containing it's security flaws and vulnerable appenders.

To conclude: update to Axon Ivy 7.0.27 in order to work with secure and maintained successor of log4j1.
https://dev.axonivy.com/download/7.0