GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » CVE-2021-44228 "Log4Shell"
Re: CVE-2021-44228 "Log4Shell" [message #150644 is a reply to message #150640] Mon, 13 December 2021 09:49 Go to previous messageGo to next message
PPG is currently offline  PPG
Messages: 160
Registered: February 2010
Done some more research (running KC 9.3.1P1)
1. the packaged java version is 8u222 (JAVA_VERSION="1.8.0_222")
see ..\MailServer\javaservices\jre\release
2. This version is not vulnerable for JNDI:
https://www.lunasec.io/docs/blog/log4j-zero-day/

Would really like to hear from GFI now!
Re: CVE-2021-44228 "Log4Shell" [message #150645 is a reply to message #150644] Mon, 13 December 2021 09:52 Go to previous messageGo to next message
frankdb is currently offline  frankdb
Messages: 2
Registered: February 2021
PPG wrote on Mon, 13 December 2021 09:49
Done some more research (running KC 9.3.1P1)
1. the packaged java version is 8u222 (JAVA_VERSION="1.8.0_222")
see ..\MailServer\javaservices\jre\release
2. This version is not vulnerable for JNDI:
https://www.lunasec.io/docs/blog/log4j-zero-day/

Would really like to hear from GFI now!

The article linked in 2. states that the LDAP attack vector is not present in versions greater than those listed. Unfortunately this isn't the only attack vector present.
Re: CVE-2021-44228 "Log4Shell" [message #150648 is a reply to message #150645] Mon, 13 December 2021 13:06 Go to previous messageGo to next message
mzaidi is currently offline  mzaidi
Messages: 65
Registered: April 2021
Hi,

The GFI Development team is aware of the vulnerability which has been announced on log4j.

Product vulnerability assessment and fix is being handled as our top priority at the moment. We don't have any evidence of this vulnerability having been exploited so far.

For more information and update, please contact the Technical support team by creating a support ticket on https://support.gfi.com.
Re: CVE-2021-44228 "Log4Shell" [message #150649 is a reply to message #150639] Mon, 13 December 2021 13:11 Go to previous messageGo to next message
robin.maier is currently offline  robin.maier
Messages: 2
Registered: December 2021
boisbleu wrote on Mon, 13 December 2021 08:14

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Copy the file to another system, remove the class from the archive, rename the file on the server, copy the modified file to the server and restart the service.
Thank you, it looks like this workaround is working. At least KC is starting up without problems.
Two more questions:
1. Am I save against this vulnerabillity now, removing the above class from the jar file ?
2. How is this affecting any service of KC ?
Re: CVE-2021-44228 "Log4Shell" [message #150650 is a reply to message #150648] Mon, 13 December 2021 13:12 Go to previous messageGo to next message
mistamilla is currently offline  mistamilla
Messages: 43
Registered: March 2010
Location: Switzerland

We solved it temporarily with following entry in logging.properties:

Go to
$KerioInstallDir/javaservices/jre/lib/logging.properties
add
# Log4J Mitigation 20211211
log4j2.formatMsgNoLookups=true

Reboot Kerio Connect Server.


KerioConnect Server 9.4.1, Mac mini M1 (8G/512G), macOS 12.x | KerioConnect Server 9.4.1 SaaS, VM Debian GNU/Linux 11.2 | KerioConnect Server 9.4.1, Mac mini i7 (32G/2T), macOS 12.x | …
Re: CVE-2021-44228 "Log4Shell" [message #150651 is a reply to message #150641] Mon, 13 December 2021 14:06 Go to previous messageGo to next message
boisbleu is currently offline  boisbleu
Messages: 59
Registered: May 2015
atgfi wrote on Mon, 13 December 2021 09:35
Hello,
change following settings in mailserver.cfg from 1 to 0:


<table name="InstantMessaging">
...
<variable name="Enabled">0</variable>
...
</table>

<table name="WebIM">
...
<variable name="Enabled">0</variable>
...
</table>
Thanks for this! Together with

<table name="FullTextSearch">
<variable name="Enabled">0</variable>

and removing the class from the jar file my mailservers should be safe at the moment. Smile

[Updated on: Mon, 13 December 2021 14:09]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150652 is a reply to message #150650] Mon, 13 December 2021 14:17 Go to previous messageGo to next message
areichmann is currently offline  areichmann
Messages: 118
Registered: December 2012
mistamilla wrote on Mon, 13 December 2021 13:12
We solved it temporarily with following entry in logging.properties:

Go to
$KerioInstallDir/javaservices/jre/lib/logging.properties
add
# Log4J Mitigation 20211211
log4j2.formatMsgNoLookups=true

Reboot Kerio Connect Server.
Works only with log4j > 2.10 (kerio connect uses 2.5)

[Updated on: Mon, 13 December 2021 14:19]

Report message to a moderator

Re: CVE-2021-44228 "Log4Shell" [message #150653 is a reply to message #150652] Mon, 13 December 2021 15:38 Go to previous messageGo to next message
james_bray is currently offline  james_bray
Messages: 4
Registered: August 2010
Excellent advice, especially the lsof command.
Re: CVE-2021-44228 "Log4Shell" [message #150654 is a reply to message #150652] Mon, 13 December 2021 16:03 Go to previous messageGo to next message
robin.maier is currently offline  robin.maier
Messages: 2
Registered: December 2021
For those who are unsure....there is a log4j tester available --> https://github.com/mergebase/log4j-detector
Testing my modified log4j-core-2.5.jar file (zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class) gives me a:

javaservices\im\lib\log4j-core-2.5.jar contains Log4J-2.x <= 2.0-beta8 _POTENTIALLY_SAFE_ Neutral

The original was detected as:
javaservices\im\lib\ORG___log4j-core-2.5.jar___ORG contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ Sad

I hope this will fix it until we get an update fomr GFI
Re: CVE-2021-44228 "Log4Shell" [message #150656 is a reply to message #150652] Mon, 13 December 2021 16:53 Go to previous messageGo to next message
JamesL is currently offline  JamesL
Messages: 6
Registered: January 2013
to be sure i have deleted in log4j-core-*.jar the file
org/apache/logging/log4j/core/lookup/JndiLookup.class.

This is described here:
https://nakedsecurity.sophos.com/2021/12/13/log4shell-explai ned-how-it-works-why-you-need-to-know-and-how-to-fix-it/
Re: CVE-2021-44228 "Log4Shell" [message #150658 is a reply to message #150651] Mon, 13 December 2021 19:43 Go to previous messageGo to next message
Printery Technician is currently offline  Printery Technician
Messages: 2
Registered: January 2017
boisbleu wrote on Mon, 13 December 2021 14:06
atgfi wrote on Mon, 13 December 2021 09:35
Hello,
change following settings in mailserver.cfg from 1 to 0:


<table name="InstantMessaging">
...
<variable name="Enabled">0</variable>
...
</table>

<table name="WebIM">
...
<variable name="Enabled">0</variable>
...
</table>
Thanks for this! Together with

<table name="FullTextSearch">
<variable name="Enabled">0</variable>


and removing the class from the jar file my mailservers should be safe at the moment. Smile


Hi Smile
Are you sure that FullTextSearch is using somewhat regarding ‚Log4j'? Because i didn't find anything within the /mailserver/javaservices/fulltext paths
Re: CVE-2021-44228 "Log4Shell" [message #150659 is a reply to message #150625] Tue, 14 December 2021 00:19 Go to previous messageGo to next message
nibs is currently offline  nibs
Messages: 86
Registered: November 2007

GFI now have a TechTalk page regarding this vulnerability and how to mitigate it in Kerio Connect here:

https://techtalk.gfi.com/impact-of-log4j-vulnerability-on-gf i/
Re: CVE-2021-44228 "Log4Shell" [message #150670 is a reply to message #150625] Wed, 15 December 2021 05:31 Go to previous messageGo to next message
Nick.Geary is currently offline  Nick.Geary
Messages: 54
Registered: January 2021
Our Development Team is working to patch this vulnerability with the highest priority.

"Our Development team is aware of the vulnerability which has been announced on log4j.
Product vulnerability assessment and fix is being handled as our top priority at the moment. We don't have any evidence of this vulnerability having been exploited so far.
We will communicate as soon as we have a significant update from the Development team to share"

For the Kerio Connect Product log4j is used in chat

If chat function is temporarily disabled in domain settings this will provide immediate fix to reduce exposure until a patch is released

For enabling or disabling chat in Kerio Connect



Nick Geary
GFI Software
Re: CVE-2021-44228 "Log4Shell" [message #150692 is a reply to message #150625] Tue, 21 December 2021 18:56 Go to previous messageGo to next message
freakinvibe is currently offline  freakinvibe
Messages: 585
Registered: April 2004
Just saw that there is a patch now:

We are pleased to announce that Kerio Connect 9.3.1p2 is available. This security release addresses the vulnerability related to Log4j, formally known as CVE-2021-44228.

Release notes:

Apache log4j2 library upgrade to version 2.16.0 (fixing CVE-2021-44228 vulnerability)

The new version can be downloaded from the GFI Upgrade Center.

We recommend that all Kerio Connect customers install version 9.3.1p2 as soon as possible.

Once Kerio Connect 9.3.1p2 is deployed, the chat function can be safely re-enabled.


Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch
Re: CVE-2021-44228 "Log4Shell" [message #150696 is a reply to message #150692] Wed, 22 December 2021 08:19 Go to previous messageGo to previous message
Derek! is currently offline  Derek!
Messages: 1
Registered: December 2021
freakinvibe wrote on Tue, 21 December 2021 18:56

Apache log4j2 library upgrade to version 2.16.0 (fixing CVE-2021-44228 vulnerability)
Unfortunately, this version of log4j is also vulnerable (CVE-2021-45105). Hopefully GFI will release soon a new patch with log4j 2.17.0, because this is the only safe version right now.
Previous Topic: Errors in Kerio Connect 9.3.1p2
Next Topic: GFI. Stop that!
Goto Forum:
  


Current Time: Sat Jul 02 23:17:06 CEST 2022

Total time taken to generate the page: 0.03358 seconds