cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2021-44228: Log4j vulnerability impact on Code Insight

CVE-2021-44228: Log4j vulnerability impact on Code Insight

Summary:

A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Description:

Code Insight v6 and v7 are not impacted by CVE-2021-44228.

The table below lists Code Insight v6 and v7 components, and the logging frameworks used in those components.

 

Code Insight v6

Code Insight v7

Remarks

Core Server

Scan Server

Log4j 1.x

Log4j 1.x

Log4j 1.x is not affected by CVE-2021-44228.

Regarding CVE-2021-4104, in Code Insight v6 and v7, JMSAppender is not enabled and used in the application. Therefore, Code Insight is not impacted by CVE-2021-4104.

Code Aware (used in scans via scan server, plugins, and standalone scanner)

SLF4J (+logback)

SLF4J (+logback)

http://www.slf4j.org/

 

Log4j v2.x files are shipped but not configured and used. *Please see the note below.

 

 

 

Plugins  (only for Code Insight v7)

Not Applicable

Apache Commons Logging 1.x

 

Code Insight Standalone Scanner (only for Code Insight v7)

Not Applicable

Apache Commons Logging 1.x

This standalone scanner has been made available from 2021 R3.

 

*Note about SLF4J: SLF4J is a wrapper logging framework which can use one of the logging implementations like logback, log4j, java.util.logging etc.

In Code Aware module we use SLF4 logging, which in turn points to and uses native implementation of logback library.

Log4j 2 jar files are shipped and present in the Code Insight install location, however Log4j 2x library is neither

  1. configured to be used with SLF4j
  2. nor directly referenced in the code.

Hence despite the presence of Log4j 2 files in the Code Insight application, it can be confirmed that Log4j 2 libraries are not used for logging.

Resolution:

No fix is required.  

Workaround:

As Code Insight has no dependency on the included Log4j 2 libraries, these can be deleted using the instructions below:

Remediation Steps for Code Insight v7.x - 

Steps to remove Log4j 2 files from Code Insight in case of standalone installation (Core & Scan server in the same machine):

  1. Log in as the user who performed the Code Insight installation.
  2. Shut down the Code Insight application. (or stop the service if configured in service mode)
  3. Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeaware\WEB-INF\lib"
  4. Delete files "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the directory
  5. Delete the codeaware.war from “$Codeinsight_Install_Location\tomcat\webapps folder”.Following steps removes log4j jar files from Code Aware component which is used by plugins or standalone scanner for scan.
  6. Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeinsight\WEB-INF\classes". Take the backup of "codeaware-embedded-<Version>.zip" file
  7. Navigate to Linux: "$Codeinsight_Install_Location/7-zip/lnx64" or Windows: "$Codeinsight_install_location\7-zip\win64"
  8. Execute below command from terminal or command prompt to remove "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the "codeaware-embedded-<Version>.zip". This command used the “7z” tool supplied with application to remove files with in the zip file
  9. Linux:- ./7z d Codeinsight_Install_Location/tomcat/webapps/codeinsight/WEB-INF/classes/codeaware-embedded-<Version>.zip log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r
  10. Windows: 7z.exe d Codeinsight_Install_Location\tomcat\webapps\codeinsight\WEB-INF\classes\codeaware-embedded-<Version>.zip log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r
  11. Start the CodeInsight application
Steps to remove Log4j 2 files from Code Insight in case of Core and Scan servers installed on
different machines:
 
Scan Server(s): Perform these steps on each scan server.
  1. Log in as the user who performed the Code Insight installation.
  2. Shutdown the Code Insight scanner application (or stop the service if configured in service mode).
  3. Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeaware\WEB-INF\lib".
  4. Delete files "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the directory.
  5. Delete the codeaware.war from “$Codeinsight_Install_Location\tomcat\webapps folder”.
  6. Start the Code Insight scanner server. (Perform this step after completing steps on core server)
Core Server:
  1. Log in as the user who performed the Code Insight installation.
  2. Shutdown the Code Insight core application (or stop the service if configured in service mode). Following steps removes log4j jar files from Code Aware component which is used by plugins or standalone scanner for scan.
  3. Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeinsight\WEB-INF\classes". Take the back up of " codeaware-embedded-<Version>.zip" file.
  4. Navigate to Linux: "$Codeinsight_Install_Location/7-zip/lnx64" or Windows: "$Codeinsight_install_location\7-zip\win64".
  5. Execute below command from terminal or command prompt to remove "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the "codeaware-embedded-<Version>.zip". This command used the “7z” tool supplied with application to remove files with in the zip file.
  6. Linux:- ./7z d Codeinsight_Install_Location/tomcat/webapps/codeinsight/WEB-INF/classes/codeaware-embedded-<Version>.zip log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r
  7. Windows:- 7z.exe d Codeinsight_Install_Location\tomcat\webapps\codeinsight\WEB-INF\classes\codeaware-embedded-<Version>.zip log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r
  8. Start the Code Insight core server.
 
Scan plugin and Standalone scanner changes:
The following steps are to be performed for cases in which the scan plugins or standalone scanner are in use for scanning. Since the plugins and standalone scanner download “codeaware-embedded-<Version>.zip” during scan, you are likely to find old references to the log4 jars on these machines. The following steps will delete all references to this file.
 
If no plugins or standalone scanner are in use, the following stepscan be skipped.
  1. On the machine(s), where the plugin or standalone scanner is configured, locate the user who performed the Code Insight installation or executed the plugin or standalone scanner.
  2. Delete the directory "$user_dir/.codeinsight". Refer the example below:

Linux: "/home/<user>/.codeinsight"

Windows: "C:/Users/<user>/.codeinsight"

Note:
a) ".codeinsight" directory in case of Linux would be a hidden directory (perform “ls -al” to list .codeinsight directory)
b) In case of Jenkins or Bamboo plugins, if remote agent nodes are configured, above step has to be done on the remote agent nodes.
 

Remediation Steps for Code Insight v6.x - 

Steps to remove log4j v2.x files from Code Insight in case of standalone installation (Core & Scan server in the same machine).

  1. Log in as the user who performed the Code Insight installation.
  2. Shut down the Code Insight application. (or stop the service if configured in service mode)
  3. Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeaware\WEB-INF\lib".
  4. Delete files "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the directory.
  5. Delete the codeaware.war from “$Codeinsight_Install_Location\tomcat\webapps folder”.
  6. Start the Code Insight application.

Steps to remove Log4j 2 files from Code Insight in case of Core and Scan servers installed on different machines.

Scan Server(s): Perform these steps on each scan server.

  1. Log in as the user who performed the Code Insight installation.
  2. Shutdown the Code Insight scanner application (or stop the service if configured in service mode).
  3. Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeaware\WEB-INF\lib".
  4. Delete files "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the directory.
  5. Delete the codeaware.war from “$Codeinsight_Install_Location\tomcat\webapps folder”.
  6. Start the Code Insight scanner server.
Labels (3)
No ratings
Comments

Thank you, for the update.  We will follow the instructions provided for mitigating this vulnerability.

However, there are still a number of log4j-1.x jars on the servers.  According to Apache, log4j-1.x has reached the end of life.  Any plan to fix this?

V7:

./tomcat/webapps/palamida/WEB-INF/lib/log4j-1.2.17.jar

./tomcat/webapps/palamida/lib/signed/log4j-1.2.13.jar

./tomcat/webapps/codeaware/WEB-INF/lib/log4j-1.2.13.jar

./tomcat/webapps/codeaware/WEB-INF/lib/log4j-core-2.11.1.jar

./tomcat/webapps/codeaware/WEB-INF/lib/log4j-over-slf4j-1.7.25.jar

./tomcat/webapps/codeaware/WEB-INF/lib/log4j-api-2.11.1.jar

./scriptRunner/lib/log4j-1.2.13.jar

 

V6:

/apps/palamida/palamida_6.14.0-34/tomcat/webapps/palamida/lib/signed/log4j-1.2.13.jar

/apps/palamida/palamida_6.14.0-34/tomcat/webapps/palamida/WEB-INF/lib/log4j-1.2.17.jar

/apps/palamida/palamida_6.14.0-34/tomcat/webapps/palamida/lib_bak/signed/log4j-1.2.13.jar

/apps/palamida/palamida_6.14.0-34/tomcat/webapps/codeaware/WEB-INF/lib/log4j-core-2.11.1.jar

/apps/palamida/palamida_6.14.0-34/tomcat/webapps/codeaware/WEB-INF/lib/log4j-api-2.11.1.jar

/apps/palamida/palamida_6.14.0-34/tomcat/webapps/codeaware/WEB-INF/lib/log4j-1.2.13.jar

/apps/palamida/palamida_6.14.0-34/tomcat/webapps/codeaware/WEB-INF/lib/log4j-over-slf4j-1.7.25.jar

/apps/palamida/palamida_6.14.0-34/scriptRunner/lib/log4j-1.2.13.jar

Thanks for the question Mei. Code Insight v7 will have log4j updated for the 2022 R1 release. Code Insight v6 is still being assessed for impact of performing the Log4j 1x to 2.x update. We will post an update once we have more information.

Version history
Last update:
‎Jan 06, 2022 04:22 PM
Updated by: