Genesys Engage on-premises

 View Only
Discussion Thread View
Expand all | Collapse all

About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

  • 1.  About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-16-2021 00:32
    Edited by Duong Phan 12-17-2021 08:27
    Dears !

    We got the advisory from Genesy. In article, we see that: " The immediate threat can be mitigated by adding the following setting to the java command line:

    "-Dlog4j2.formatMsgNoLookups=true" for all Genesys Java based components."

    Someone did it, please share the procedure.

    Thank you in advance.
    John


    #Security

    ------------------------------
    Duong Phan
    ------------------------------


  • 2.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-16-2021 05:07
    Hi
    Unfortunately, there is not just one procedure, but more or less a separate procedure per product :o(
    My experience is so far, that in the installation folder of the product, ie. EmailServer, there is a .ini file (for the EmailServer that would be JavaEmailServerDriver.ini).
    In the [JavaArgs] section add the line "-Dlog4j2.formatMsgNoLookups=true" (without the quotes).
    Save the file and restart the product.
    The name of the .ini file varies from product to product...
    For the GMS product, its done by editing the launcher.xml found in the installation folder.
    Add this:

    <parameter name="log4jMsgLookup" displayName="log4jMsgLookup" mandatory="true" hidden="false" readOnly="true">

    <description><![CDATA[Msg No lookup for log4j]]></description>

    <valid-description><![CDATA[]]></valid-description>

    <effective-description/>

    <format type="string" default="-Dlog4j2.formatMsgNoLookups=true" />

    <validation></validation>

    </parameter>
    Save the file and restart GMS.
    I have problems finding out how to implement the parameter in a couple of no longer supported products:
    Datamart and GIS (Genesys Integration Server)
    Does anyone have experience/input for these products?

    Best regards
    Gert Søgaard



    ------------------------------
    Gert Sogaard
    Sopra Steria A/S
    ------------------------------



  • 3.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-16-2021 08:56
    Genesys has updated the advisory and recommends to remove the JNDI class.

    ------------------------------
    Michael Sann
    InfinIT.cx GmbH
    ------------------------------



  • 4.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 03:35
    Edited by Angus Huckle 12-17-2021 03:36

    Another option for DMS and UCS is to replace the log4j jar files with their 2.16 equivalents.

    The initial proposed mitigation for these did not work.

    ------------------------------
    Angus Huckle
    Spark NZ Trading
    ------------------------------



  • 5.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 09:07
    Edited by Tony Morrow 12-17-2021 09:11
    Michael, definitely a good immediate solution.

    Though, I'm concerned about long term tracking on this.  We'd have to modify our system scanners to routinely scan inside all the various log4j.lar files and see if the class file is present, and trigger an alert if it finds it.  This is because of ongoing application maintenance, etc.  Someone may forget to modify the file after installing or upgrading an application.

    Hopefully Genesys will go around and upgrade all their impacted apps with fixed jar files and we don't have to worry.



    Angus, Did you have to rename the 2.16 files to match the older filenames, or did it pull in the 2.16 version automatically?

    Example:  Did you have to save the 2.16 version using something like the following?

    rename log4j-2.16.0.jar log4j-1.2.17.jar
    rename log4j-2.16.0.jar log4j-core-2.14.0.jar



    ------------------------------
    Tony Morrow
    ------------------------------



  • 6.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 14:22

    UCS was a straight swap of log4j files as the startup script handles that.

    DMS was a rename i.e. took the 2.16 equivalents are renamed them to be: log4j-api.jar, log4j-core.jar, log4j-slf4j-impl.jar and log4j-web.jar.



    ------------------------------
    Angus Huckle
    Spark NZ Trading
    ------------------------------



  • 7.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 14:35
    Thanks.

    Also, looking at Genesys Release Notes, they are pushing out updates that now includes the log4j 2.16.



    ------------------------------
    Tony Morrow
    ------------------------------



  • 8.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 04:00
    Hi John,

    Based on the latest update from Apache the immediate thread can be mitigated by removing the JndiLookup class from Java classpath:

    Linux:
    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

    Win: Use Winzip/winrar/win7zip to delete JndiLookup class
    Take backup of jar file before removing, for roll back
    Note: Genesys application restart is required.

    Regards,

    ------------------------------
    Siptain Ali
    Tech Mahindra GmbH
    ------------------------------



  • 9.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 08:24
    Edited by Duong Phan 12-17-2021 08:26
    Hi Siptain,

    Thank you for sharing.


    ------------------------------
    Duong Phan
    ------------------------------



  • 10.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:06
    Thanks for sharing details. Does anyone know what to do with GAX? its listed as vulnerable by Genesys, but log4j-core*.jar file is nowhere to be found on my servers …

    ------------------------------
    Senih Demren
    Insurance Corporation of British Co
    ------------------------------



  • 11.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:26
    Mine is located at:  \genesys\gax_01\webapp\WEB-INF\lib\log4j-core-2.11.1.jar

    ------------------------------
    Tony Morrow
    ------------------------------



  • 12.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:39
    Interesting... All I have is    APPS\GCTI\GAX_1\webapp\WEB-INF\lib\log4j-1.2.17.jar    not core.. GAX version is 9.0.001.29...

    ------------------------------
    Senih Demren
    Insurance Corporation of British Co
    ------------------------------



  • 13.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:44
    So you're good, since that is running the 1.x log4j.


    I'm running 9.0.103.06.  They must have switched to log4j 2.x somewhere in between.


    ------------------------------
    Tony Morrow
    ------------------------------



  • 14.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 13:47
    Sometime its better to have good old code ;)   thanks for the update.

    ------------------------------
    Senih Demren
    Insurance Corporation of British Co
    ------------------------------



  • 15.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-17-2021 14:11
    Yep.

    FYI.. They just released a new GAX that has log4j 2.16.

    ------------------------------
    Tony Morrow
    ------------------------------



  • 16.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-21-2021 21:57
    Someone use this option "-Dlog4j2.formatMsgNoLookups=true" for all Genesys Java based components ?

    ------------------------------
    Duong Phan
    Services Delivery Manager
    ------------------------------



  • 17.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    GENESYS
    Posted 12-22-2021 00:48
    Hello Duong,
    We are not suggesting this java argument "-Dlog4j2.formatMsgNoLookups=true" anymore for CVE-2021-44228. Removal of JndiLookup.class file from the log4j-core-x.jar found in the application installation directory is the suggested workaround until an hotfix is available for the product with a log4j2 version that fixes the vulnerability.

    Please follow the advisory below.

    000108042 - Advisory on CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    https://genesyspartner.force.com/customercare/kA91T000000bltb?name=Apache-Log4j-2-Java-library



    ------------------------------
    Vinod Balan
    Genesys - Employees
    ------------------------------



  • 18.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-22-2021 02:27
    Thanks, Vinod for sharing.

    ------------------------------
    Duong Phan
    Services Delivery Manager
    ------------------------------



  • 19.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-22-2021 16:45
    This is from the latest Genesys advisory : 

    Note: All HotFix versions are packaged with Log4j 2.16.0



    latest hot fixes are using 2.16.0,  which is also known as vulnerable and v2.17 is out now...

    ------------------------------
    Senih Demren
    Insurance Corporation of British Co
    ------------------------------



  • 20.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    GENESYS
    Posted 12-22-2021 23:59
    Hello Senih,

    We are aware of the CVE-2021-45105
    which states 2.16.0 is vulnerable and 2.17 is the fix. Our product management team has analyzed the CVE-2021-45105 released on 18 DEC 2021 which indicates specific non-standard configurations must be made to enable exploitation of this particular vulnerability. While we continue to confirm our configurations, such settings are not part of deployments in Multicloud CX by default.
    As such, full remediation of this vulnerability in Multicloud CX is judged as a Medium risk. We will continue to monitor our environment and the situation as more details emerge.
    Full remediation of all related vulnerabilities is targeted in January 2022, with on-going mitigations in effect and continuing to evolve.

    The above statement is also mentioned in the security advisory 000108042 - Advisory on CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library.
    https://genesyspartner.force.com/customercare/kA91T000000bltb?name=Apache-Log4j-2-Java-library


    ------------------------------
    Vinod Balan
    Genesys - Employees
    ------------------------------



  • 21.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-23-2021 06:06

    Bonjour

    Qu'en est il de la prise en compte d'un correctif sur les composants Genesys Engage (On Premise) pour passer en version log4J 2.17 ?

    Cordialement



    ------------------------------
    Alain Nezereau
    MACIF Siège Social Sce
    ------------------------------



  • 22.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    GENESYS
    Posted 12-23-2021 06:17
    Bonjour Alain,

    Some of the product teams have already considered log4j 2.17 for the next build targeted for Jan 2022. Currently, hotfixes with log4j 2.16 is being rolled out.
    If there are no newer vulnerabilities with log4j 2.17, then in Jan 2020 we should have new versions of Genesys products with log4j 2.17.


    ------------------------------
    Vinod Balan
    Genesys - Employees
    ------------------------------



  • 23.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-23-2021 10:20

    Hi Vinod

    Thanks for your answer



    ------------------------------
    Alain Nezereau
    MACIF Siège Social Sce
    ------------------------------



  • 24.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 12-23-2021 16:57
    Hi Vinod,  thank you for the clarification.  


    ------------------------------
    Senih Demren
    Insurance Corporation of British Co
    ------------------------------



  • 25.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 01-03-2022 04:03

    Hi Everybody,

    About the Advisory https://genesyspartner.force.com/customercare/kA91T000000bltb?name=Apache-Log4j-2-Java-library

    This document was updated on December 31, 2021; the concern is that there is no evidence of the differences between versions of this document, we can't see changes.

    I can also inform you that it is not totally up to date, especially on the hotfix specifications (for example Pulse is in hotfix 9.0.007.03 and includes Log4J 2.17.0)

    Regards



    ------------------------------
    Alain Nezereau
    MACIF Siège Social Sce
    ------------------------------



  • 26.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    GENESYS
    Posted 01-03-2022 07:11
    Hello Alain,

    The below advisory was created to list out the applications that are affected specific to CVE-2021-44228. So, this advisory will have hotfixes which are introduced to resolve this particular CVE-2021-44228. As per CVE-2021-44228, the solution is to upgrade to log4j 2.16. The CVE-2021-44228 is considered as CRITICAL vulnerability with a score of 10/10. All other CVEs detected later were with a high or medium score.
    https://genesyspartner.force.com/customercare/kA91T000000bltb?name=Apache-Log4j-2-Java-library
    As you have mentioned, the HotFix v9.0.007.02 specified in the above advisory for Pulse includes Log4j 2.16 which is as per the recommendation of CVE-2021-44228.
    The latest hotfix v9.0.007.03 include log4j 2.17 which is as per another CVE CVE-2021-45105
    Updates pertaining to other CVEs CVE-2021-45105CVE-2021-44832 detected later are not updated in the above advisory.

    Our apologies if you were expecting this advisory to be a consolidated one for all log4j vulnerabilities detected in December 2020. Since the focus in December was to mitigate the critical vulnerability CVE-2021-44228, the advisory was created to track the list of products and the hotfixes with log4j 2.16. We thought the below note mentioned in advisory will let everyone know that this article will list hotfixes only for log4j 2.16.0, maybe we were wrong.

    Note: All HotFix versions are packaged with Log4j 2.16.0

    The advisory has been modified (mostly with only hotfix versions) as and when we received an update from the respective product teams on log4j 2.16.0 patch. Every such major updates seems to have been pushed as a new version, this is why you see multiple versions of the advisory.


    ------------------------------
    Vinod Balan
    Genesys - Employees
    ------------------------------



  • 27.  RE: About CVE-2021-44228 | a zero-day in the Apache Log4j 2 Java library

    Posted 01-03-2022 10:45

    Hello Vinod

    Thank you for these explanations


    ------------------------------
    Alain Nezereau
    MACIF Siège Social Sce
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources