Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RCE 0-day exploit in log4j

See original GitHub issue

Last night a 0-day exploit was published for log4j. This issue is to track impact for photon.

Current situation

We currently use log4j in version 2.8 and cannot update to a later version due to ES 5.6 not being compatible with those. This means that photon is affected and it is yet unclear if a patched version will be available.

A preliminary code analysis shows that the security risk for photon as a result of this exploit is low. Photon does not log any data received through requests via log4j itself. The only user-supplied data logged are filenames and data from the ES database in rare cases. However, photon does print exception messages and we cannot rule out that any of the libraries we use will print a message that is subject to the exploit.

Mitigation

The recommended mitigation for log4j 2.8 is to remove the JndiLookup.class from the final jar file. Ways to do this:

Remove the class from your deployed photon-*.jar file using the zip tool:

zip -q -d photon-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

(Photon >= 0.3.0 only) Download the photon jar from the release page again. The jars have been updated accordingly.
(master only) Update to latest master and recompile photon (see #621).

Always make sure to restart the server after you have deployed the updated photon jar.

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:5 (1 by maintainers)

Top GitHub Comments

6reactions

lonviacommented, Dec 13, 2021

Removing the JndiLookup.class is now the officially recommended mitigation according to the Apache Log4j security page. To remove the class from your photon jar run:

zip -q -d photon-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Then restart your photon server.

2reactions

lonviacommented, Dec 13, 2021

All jars downloadable from the Relase page for versions 0.3.x now have the JndiLookup.class removed. #621 makes sure that master builds remove the offending class when creating the final jar.

I consider the issue thus closed for Photon. Please make sure to update your servers.

Top Results From Across the Web

Log4Shell: RCE 0-day exploit found in log4j, a popular Java ...

On Thursday, December 9th a 0-day exploit in the popular Java logging library log4j (version 2), called Log4Shell, was discovered that results ...

RCE 0-day exploit found in log4j (Log4Shell) - Quorum Cyber

A remote code execution (RCE) vulnerability CVE-2021-44228 has been found in popular Java logging library, log4j. The exploit is an injection attack (like ......

Exploiting, Mitigating, and Detecting CVE-2021-44228: Log4j ...

The vulnerability CVE-2021-44228, also known as Log4Shell, permits a Remote Code Execution (RCE), allowing the attackers to execute arbitrary ...

Digging deeper into Log4Shell - 0Day RCE exploit found in ...

This vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers — and we ...

Remote code execution zero-day exploit in Java logging ...

Apache Log4j contains a remote code execution (RCE) vulnerability. This allows an attacker that has permissions to modify the logging ...