Genesys Engage on-premises

 View Only
Discussion Thread View
Expand all | Collapse all

About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

  • 1.  About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-16-2021 00:32
    Edited by Duong Phan 12-17-2021 08:27
    Dears !

    We got the advisory from Genesy. In article, we see that: " The immediate threat can be mitigated by adding the following setting to the java command line:

    "-Dlog4j2.formatMsgNoLookups=true" for all Genesys Java based components."

    Someone did it, please share the procedure.

    Thank you in advance.
    John


    #Security

    ------------------------------
    Duong Phan
    ------------------------------


  • 2.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-16-2021 05:07
    Hi
    Unfortunately, there is not just one procedure, but more or less a separate procedure per product :o(
    My experience is so far, that in the installation folder of the product, ie. EmailServer, there is a .ini file (for the EmailServer that would be JavaEmailServerDriver.ini).
    In the [JavaArgs] section add the line "-Dlog4j2.formatMsgNoLookups=true" (without the quotes).
    Save the file and restart the product.
    The name of the .ini file varies from product to product...
    For the GMS product, its done by editing the launcher.xml found in the installation folder.
    Add this:

    <parameter name="log4jMsgLookup" displayName="log4jMsgLookup" mandatory="true" hidden="false" readOnly="true">

    <description><![CDATA[Msg No lookup for log4j]]></description>

    <valid-description><![CDATA[]]></valid-description>

    <effective-description/>

    <format type="string" default="-Dlog4j2.formatMsgNoLookups=true" />

    <validation></validation>

    </parameter>
    Save the file and restart GMS.
    I have problems finding out how to implement the parameter in a couple of no longer supported products:
    Datamart and GIS (Genesys Integration Server)
    Does anyone have experience/input for these products?

    Best regards
    Gert Søgaard



    ------------------------------
    Gert Sogaard
    Sopra Steria A/S
    ------------------------------



  • 3.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-16-2021 08:56
    Genesys has updated the advisory and recommends to remove the JNDI class.

    ------------------------------
    Michael Sann
    InfinIT.cx GmbH
    ------------------------------



  • 4.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 03:35
    Edited by Angus Huckle 12-17-2021 03:36

    Another option for DMS and UCS is to replace the log4j jar files with their 2.16 equivalents.

    The initial proposed mitigation for these did not work.

    ------------------------------
    Angus Huckle
    Spark NZ Trading
    ------------------------------



  • 5.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 09:07
    Edited by Tony Morrow 12-17-2021 09:11
    Michael, definitely a good immediate solution.

    Though, I'm concerned about long term tracking on this.  We'd have to modify our system scanners to routinely scan inside all the various log4j.lar files and see if the class file is present, and trigger an alert if it finds it.  This is because of ongoing application maintenance, etc.  Someone may forget to modify the file after installing or upgrading an application.

    Hopefully Genesys will go around and upgrade all their impacted apps with fixed jar files and we don't have to worry.



    Angus, Did you have to rename the 2.16 files to match the older filenames, or did it pull in the 2.16 version automatically?

    Example:  Did you have to save the 2.16 version using something like the following?

    rename log4j-2.16.0.jar log4j-1.2.17.jar
    rename log4j-2.16.0.jar log4j-core-2.14.0.jar



    ------------------------------
    Tony Morrow
    ------------------------------



  • 6.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 14:22

    UCS was a straight swap of log4j files as the startup script handles that.

    DMS was a rename i.e. took the 2.16 equivalents are renamed them to be: log4j-api.jar, log4j-core.jar, log4j-slf4j-impl.jar and log4j-web.jar.



    ------------------------------
    Angus Huckle
    Spark NZ Trading
    ------------------------------



  • 7.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 14:35
    Thanks.

    Also, looking at Genesys Release Notes, they are pushing out updates that now includes the log4j 2.16.



    ------------------------------
    Tony Morrow
    ------------------------------



  • 8.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 04:00
    Hi John,

    Based on the latest update from Apache the immediate thread can be mitigated by removing the JndiLookup class from Java classpath:

    Linux:
    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

    Win: Use Winzip/winrar/win7zip to delete JndiLookup class
    Take backup of jar file before removing, for roll back
    Note: Genesys application restart is required.

    Regards,

    ------------------------------
    Siptain Ali
    Tech Mahindra GmbH
    ------------------------------



  • 9.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 08:24
    Edited by Duong Phan 12-17-2021 08:26
    Hi Siptain,

    Thank you for sharing.


    ------------------------------
    Duong Phan
    ------------------------------



  • 10.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:06
    Thanks for sharing details. Does anyone know what to do with GAX? its listed as vulnerable by Genesys, but log4j-core*.jar file is nowhere to be found on my servers …

    ------------------------------
    Senih Demren
    Insurance Corporation of British Co
    ------------------------------



  • 11.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:26
    Mine is located at:  \genesys\gax_01\webapp\WEB-INF\lib\log4j-core-2.11.1.jar

    ------------------------------
    Tony Morrow
    ------------------------------



  • 12.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:39
    Interesting... All I have is    APPS\GCTI\GAX_1\webapp\WEB-INF\lib\log4j-1.2.17.jar    not core.. GAX version is 9.0.001.29...

    ------------------------------
    Senih Demren
    Insurance Corporation of British Co
    ------------------------------



  • 13.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:44
    So you're good, since that is running the 1.x log4j.


    I'm running 9.0.103.06.  They must have switched to log4j 2.x somewhere in between.


    ------------------------------
    Tony Morrow
    ------------------------------



  • 14.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:47
    Sometime its better to have good old code ;)   thanks for the update.

    ------------------------------
    Senih Demren
    Insurance Corporation of British Co
    ------------------------------