CVE-2021-44228 (Apache log4j) tracking issue

[ius]

I used nix-locate to find instances of log4j v2 (possibly affected by CVE-2021-44228).

nix-locate -1 log4j-core-2 | uniq | tr '\n' ' '
nix-locate -1 log4j-api-2 | uniq | tr '\n' ' '

Packages listed below contain a log4j jar. Note that shipping the log4j jar does not imply vulnerability nor exploitability. This list is not exhaustive for many reasons (using 21.11 as nix-locate index; packages not cached thus not indexed).

Not vulnerable means I believe 21.05/21.11/unstable is not affected.

Package	Status
apache-jena	Fixed #150610 #150650 - 21.05?
arduino-core	Upstream fix released, not packaged
arduino	Upstream fix released, not packaged
elasticsearch7	Fixed #150879 #150986
elasticsearch6	Fixed #150879 #150986
elasticsearch6-oss	Fixed #150879 #150986
flink	Upstream fix released - #151776
ghidra-bin	Fixed #150154 #150159 #150211
graylog	Fixed #150511 #150594 #150904
igv	Upstream fixed, not packaged
jitsi-videobridge	Not vulnerable #150021 #150027 (missing 21.05 backport) Upstream: Jitsi-videobridge instances older than 2.1-504 (May 2021) with callstats enabled should be updated to 2.1-504 or newer (source)
jmeter	Fixed #151080 #151087
logstash6	Fixed #150879 #150986
logstash7	Fixed #150879 #150986
logstash6-oss	Fixed #150879 #150986
logstash7-oss	Fixed #150879 #150986
signald	Fixed #150479 #150523 #150526
solr	8.11.1 released (2.16.0), not packaged - mitigated by adding services.solr.extraJavaOptions = [ "-Dlog4j.formatMsgNoLookups=true" ]; to your configuration
storm	Upstream fixed (2.17.0), but unreleased
xmlbeans	Upstream fixed (2.17.0) but unreleased
zap	Fixed (2.15.0) #150289 #150406 #150295 (no 2.17.0 released planned source)
keycloak	Not vulnerable source
unifi[6]	Mitigated #150329 #150329 #150425 #151145 #151179 #151178

[Ma27]

Will patch pkgs.signald tonight.

[wamserma]

Would it be possible to hook a scanner like https://github.com/mergebase/log4j-detector into some postInstall-Hook for all packages depending on JDK? Or maybe directly into Hydra?

[bryanasdev000]

As soon as a new release of Jmeter is released, I'm going to update it.

[aanderse]

I added a note on how to mitigate the attack for solr.

[ius]

Note that the Log4J maintainers have made additional releases (2.16.0 and 2.12.2) which are now listed as the fix for CVE-2021-44228 (instead of 2.15).

It fixes a (less severe) denial of service (CVE-2021-45046) and disables JNDI by default.

Most downstream consumers will probably make yet another release...

[talyz]

I'm working on updating ELK 7 and should have a PR ready soon.

[lorenzleutgeb]

Related MRs:

gradle

• gradle: 7.3.1 -> 7.3.2 #150866
• gradle: 7.3.2 -> 7.3.3, 6.9.1 -> 6.9.2, pdftk: 3.3.1 -> 3.3.2 #151790

pdftk

• pdftk: 3.3.1 -> 3.3.2 #151791

[bryanasdev000]

Another PR for Jmeter:

#152176

[Moredread]

mediathekview might be affected.

See PR #152261

[Tungsten842]

@ius @antono @auntie @robberer @bjornfor @bergey A new version of arduino with log4j fixes has been released

[Tungsten842]

@ius @mimame A new version with fixes for log4j has been released for igv too.

[asbachb]

Can we close this issue or is there any open task?

[bryanasdev000]

Can we close this issue or is there any open task?

From a quick look seems that Solr is the main one missing.

[ius]

Let's close this. Packages should either be patched by now, otherwise they're likely to be orphaned and suffer from other issues as well.

In case of Solr it looks like it has plenty of vulnerability tags slapped onto it.