Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CVE-2021-44228
See original GitHub issueSummary
A new vulnerability (CVE-2021-44228) has been reported in the Java logging tool Log4j which could allow an attacker, who can control log messages or log message parameters, to execute arbitrary code loaded from LDAP servers via message lookup substitution.
CVE-2021-44228 has a CVSS 3.1 score of 10.0 (CRITICAL). The attack vector can be either local or via network.
Impact on Eclipse Kura
Eclipse Kura versions prior to 4.0.0 used Log4j 1.x and, as stated in here, they are not affected by the exploit and therefore no patch is needed.
The impact on devices running Kura 4.x and 5.x is limited if the framework is running on top of a JVM version greater than 8u191 which, by default, prevents remote code execution in the virtual machine. Please see here for a more detailed explanation.
Mitigations
As described in the official Log4J 2 website, the Log4j2 lookup feature can be disabled replacing the %m property with %m{nolookups}.
On deployed instances of Eclipse Kura 4.x the following mitigation can be applied immediately as follows:
sed -i 's/[%]\(message\|msg\|m\)/%m{nolookups}/g' /opt/eclipse/kura/user/log4j.xml
For Eclipse Kura 5.0.0, instead:
sed -i 's/[%]\(message\|msg\|m\)/%m{nolookups}/g' /opt/eclipse/kura/log4j/log4j.xml
Next Steps
The Eclipse Kura project has already started updating its development branch to the latest available Log4j package.
The effort will continue with a back port of the change to the Eclipse Kura 4.x maintenance branch, with the release of Eclipse Kura 4.1.3, and with the back port to the Eclipse Kura 5.x maintenance branch, with the release of Eclipse Kura 5.0.1.
Issue Analytics
- State:
- Created 2 years ago
- Comments:14 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi all, we tagged Kura 5.0.1 and 4.1.3 RC1 and created the first release candidate builds:
Kura 5.0.1:
eclipse/kura:5.0.1-RC1-centos-x86_64eclipse/kura:5.0.1-RC1-alpine-x86_64Kura 4.1.3:
eclipse/kura:4.1.3-RC1Hello, we have seen that since the notice has been posted, the mitigation suggestion has changed. As you have seen from the notice, the mitigation suggested prevents the remote code execution but does not potentially prevent DoS attacks (https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014). Eclipse Kura do use log4j-core: the build system is based on Tycho so that the
mvn dependency:treedoe not report that. Log4j-core is actually used at runtime and included in the distribution.To fix both CVE-2021-44228 and CVE-2021-45046 we are working on releasing Kura 4.1.3 and 5.0.1 that will use log4j 2 in version 2.16.0.