Log4j : « Les experts s’accordent pour dire que la faille de sécurité est réellement inquiétante »




« Log4Shell », cette vulnérabilité, rendue publique vendredi, peut avoir des conséquences graves et au long terme pour de très nombreuses organisations. 


Summary

On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j versions prior to 2.15.0 was disclosed:

  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.

On December 14, 2021, Apache released an additional vulnerability affecting all Log4j versions prior to 2.16.0:

  • CVE-2021-45046Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
  • It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete and could result in certain non-default configurations of Log4j to still be exposed to exploitation potentially resulting in a Denial of Service condition, While this second vulnerability is of lower severity, the visibility that this investigation has gathered and the proliferation of exploitation tools are such that we are including it in this advisory and will be providing guidance for this vulnerability as well.


Affected Products

Vulnerable Products

  • Database Agent

    • Database Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities

    • Database Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability

    AppDynamics recommends customers upgrade to Database agent version 21.12.1.
  • Java Agent

    • Java Agent JDK 8+

      • Versions prior to 21.11.1, vulnerable to CVE-2021-44228 and CVE-2021-45046 

      • Versions prior to 21.11.2, vulnerable to CVE-2021-45046 

      AppDynamics recommends that customers using Java Agent JDK 8+ upgrade to Java Agent JDK 8+ 21.11.2.

      (*Please Note: Java Agent JDK8+ does not support JDK6 or JDK7)

    • Java Agent Legacy - Sun and JRockitall versions configured for JDK6, not vulnerable as this configuration uses log4j 1.x

    • Java Agent Legacy - Sun and JRockit, versions prior to 21.11.2 configured for JDK7 or above, vulnerable to CVE-2021-44228 and CVE-2021-45046 
      AppDynamics recommends that customers using Java Agent Legacy - Sun and JRockit upgrade to Java Agent Legacy - Sun and JRockit 21.11.2.

    • Java Agent Legacy - IBM JVMall versions configured for JDK6, not vulnerable as this configuration uses log4j 1.x

    • Java Agent Legacy - IBM JVMversions prior to 21.11.2, vulnerable to CVE-2021-44228 and CVE-2021-45046

      AppDynamics recommends that customers using Java Agent Legacy - IBM JVM upgrade to Java Agent Legacy - IBM JVM 21.11.2.

    MITIGATION - Java Agent JDK 8+, Java Agent Legacy - Sun and JRockit, Java Agent Legacy - IBM JVM

    Customers who cannot upgrade to the latest Java Agent versions may mitigate this risk by removing the JndiLookup class from the classpath. The following command should be executed in the <version>/lib/tp directory where the agent is installed: 

    zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

    This change requires a restart of the application.


  • Machine Agent

    • Machine Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.

    • Machine Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability

    AppDynamics recommends that customers running on Windows upgrade to Machine Agent for Windows 21.12.2. 

    AppDynamics recommends that customers upgrade to Machine Agent 21.12.1 (or higher) for all other Operating Systems.

    Customers who are unable to upgrade to Machine Agent 21.12.1 (or higher) can mitigate the risk from this vulnerability by executing the following command in the Machine Agent install directory:

    zip -dq lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

    This change requires a restart of the Machine Agent.


  • Node.js Agent

    • Node.js Agent prior to 21.9 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities only if the Java Proxy is enabled. (The Java Proxy is off by default in Node.js Agent 4.5.16 and later.)

    Customers running Node.js with the proxy enabled can mitigate this vulnerability by making one of the following two changes:

    • Option 1: Disable the Java Proxy:
      -Node.js versions 4.5.16 and later:  Remove “proxy:true” from the agent configuration (this is the default configuration)
      -Node.js versions prior to 4.5.16:  Set “libagent:true” in the agent configuration

    • Option 2Removing the JndiLookup class from the classpath. The following command should be executed in the <version>/lib/tp directory where the agent is installed: 

      zip -dq log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

      This change requires a restart of the application.

  • PHP Agent

    • PHP Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.  

    • PHP Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability

    AppDynamics recommends that customers upgrade to PHP Agent 21.12.1. 

    No mitigation has been tested for this product at this time.

    For general information on configuring PHP Agent, see Start the PHP Agent Proxy Manually


  • Python Agent

    • Python Agents prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.  

    • Python Agents prior to 21.12.1 are at risk from the CVE-2021-45046 vulnerability. 

    AppDynamics recommends that customers upgrade to Python Agent 21.12.1. 

    No mitigation has been tested for this product at this time.

  • ServiceNow utility
    • ServiceNow utility prior to 21.12.0 are at risk from the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.

AppDynamics recommends that customers upgrade to ServiceNow utility 21.12.1.

Need Additional Help?

Our CX teams are here to help you if you need additional advice on your remediation steps.  Please contact us here by booking a meeting with our team if we can be of any further assistance.


Products Confirmed Not Vulnerable
(to CVE-2021-44228 and CVE-2021-45046)

AppDynamics has confirmed that the following products are not affected by these vulnerabilities:

  • .NET Agent

  • ABAP Agent (SAP ABAP Monitoring)

  • Analytics Agent

  • Browser Real User Monitoring (BRUM)

  • C/C++ SDK Agent
  • Cluster Agent
  • Controller (On-Prem)**
  • Enterprise Console
  • EUM GeoServer
  • EUM Server

  • Events Service (On-Prem)

  • Go Language SDK Agent

  • IBM Integration Bus Agent (IIB) Agent

  • IoT Device SDKs (C/C++, Java, REST API)
  • Mobile RUM Agent

  • Network Agent
  • Ruby Agent

  • Synthetic Private Agent

  • Synthetic Server

**Java Agent will require an upgrade - please see “Controller” under Vulnerable Products above.


Source: Security Advisory: Apache Log4j Vulnerability - Product Announcements and Alerts - AppDynamics Documentation


---> Avez vous besoin d'une Agence de développement Web sur mesure!!! DCI Websolutions est une agence de développement Web, Mobile et de Marketing Digital. Notre Mission est de mettre à la disposition de nos clients et partenaires notre savoir-faire et nos compétences pour les accompagner dans la mise en place de leurs projets web et mobiles. Nos prestations de services s’étendent aux domaines de développement des sites et d’applications Web, développement des sites et des applications mobile, design, référencement,
Share on Google Plus

About Mbarki Chadi

Chef de projet Web/Cloud SS, Fondateur DCI Websolutions (Agence de développement Web,Applicatif et Mobile).
Sous Traiter vos projets Web | Devenir partenaire DCI et réduisez vos coûts et délais
    Blogger Comment
    Facebook Comment

0 commentaires:

Enregistrer un commentaire