log4j RCE

Hi

Thanks for opening this issue, it’s good to have this discussion in public. We became aware of this issue yesterday morning and verified whether this affected ShinyProxy. We are convinced ShinyProxy is not affected.
You do not need to take any action.

However, the ShinyProxy Operator does uses log4j and was vulnerable. We released a new version of the operator yesterday that fixes the bug. Note that the attack surface of the operator is low, since it does not consume user-input (i.e. it only consumes YAML files created by a SysAdmin).

The next sections describe why ShinyProxy is not vulnerable, do not modify the pom.xml as below, this would make ShinyProxy vulnerable. This is just to show how to verify ShinyProxy is not vulnerable

First of all, ShinyProxy uses Spring Boot as framework. By default Spring Boot is not vulnerable, see this official Spring blog post https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot . In other words, Spring by default uses logback as logging backend instead of log4j. ShinyProxy does not override this logging backend. We confirmed this by running the following commands:

git clone https://github.com/openanalytics/shinyproxy
mvn -B dependency:list > deps.txt
grep -i log4j deps.txt 

This gives the following output:

[INFO]    org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile -- module org.apache.logging.slf4j [auto]
[INFO]    org.apache.logging.log4j:log4j-api:jar:2.13.3:compile -- module org.apache.logging.log4j

As you can see this does not include the vulnerable log4j-core dependency. According to the spring boot blog post, the other dependencies are not vulnerable. (they are not used for the logging itself, but only as API interface.)

Besides this, we also did a manual check whether ShinyProxy is vulnerable. You can try this with the following steps:

1. download ShinyProxy: wget https://shinyproxy.io/downloads/shinyproxy-2.6.0.jar
2. run ShinyProxy java -jar shinyproxy-2.6.0.jar
3. open localhost:8080 in your browser
4. try to login with username ${jndi:ldap://127.0.0.1:1389/a} and any password
5. check the logs of ShinyProxy. You will see:

   e.o.containerproxy.service.UserService   : Authentication failure [user: ${jndi:ldap://127.0.0.1:1389/a}] [error: Bad credentials]
   

When ShinyProxy would be vulnerable this would throw an exception, indicating that Java cannot make a connection. You can also verify that ShinyProxy does not try to make a connection by using tcpdump (e.g. using sudo tcpdump -i lo port 1389)

Note that you can verify that this would be the case by changing the logging backend of ShinyProxy. You will need to modify the pom.xml of ShinyProxy, so that it contains:

instead of

(See https://github.com/openanalytics/shinyproxy/blob/master/pom.xml#L66-L80) If you now re-try the above steps, you will see that ShinyProxy tries to connect to the LDAP server.

To conclude, we are convinced that ShinyProxy is not vulnerable. We will closely monitor the situation, and step in when new vulnerabilities are found.

Hi

A new update of the log4j library was released, because the previous fix was incomplete. Therefore a new version of the ShinyProxy Operator was released.

ShinyProxy itself remains unaffected.