Log4j2 Vulnerability (CVE-2021-44228)
VMS Software, Inc. offers the following response to the vulnerability reported for Apache Log4j2. See CVE.MITRE.ORG and the Apache website for more information.
The problem referenced by CVE-2021-44228 is as follows:
Apache Log4j2 V2.14.1 (or earlier), the JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker, who can control log messages or log message parameters, can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
By default, VSI OpenVMS Apache Web Server (CSWS) with OpenJDK8 does not provide the log4j2 software add-on or distribute Log4j2 modules. Axis2 and ActiveMQ use Log4j, not Log4j2, and are not affected by the vulnerability. Kafka is only an API which interacts with Apache Kafka, so it is not affected either.
Attunity Connect on OpenVMS does not use Java. The Attunity STUDIO GUI tool, an Eclipse development environment, is 100% Java and does have Log4j included, but its development was frozen years ago and it only has versions 1.x. The Replicate server, which VSI will support to a degree, does have it. It runs on Windows or Linux; the module is part of a non-critical component for OpenVMS usage. The Qlik Enterprise manager, Windows only, also has Log4j2. Both Replicate and EM are fully Qlik supported; please ask Qlik for information on these products.
Mitigation:
In Log4j Version 2.15.0 and above, this behavior has been disabled by default. In previous releases (Version 2.10 and earlier), this behavior can be mitigated using one of two methods:
- Setting system property "log4j2.formatMsgNoLookups" to “true”
Removing the JndiLookup class from the classpath, for example:
zip q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Java 8u121 protects against remote code execution by setting the default value for "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "False". See Java 8u121 release notes for more information.
In Version 2.10 and above, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For Versions 2.7 through 2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
For Versions 2.0-beta9 through 2.10.0, the mitigation is to remove the JndiLookup class from the classpath:
zip q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
The location of jar files containing the JndiLookup.class will vary based on where VSI Tomcat or VSI OpenJDK8 or earlier HPE Java versions have been installed.
