|
|
| Re: CVE-2021-44228 "Log4Shell" [message #150645 is a reply to message #150644] |
Mon, 13 December 2021 09:52   |
frankdb
Messages: 2
Registered: February 2021
|
|
|
|
PPG wrote on Mon, 13 December 2021 09:49Done some more research (running KC 9.3.1P1)
1. the packaged java version is 8u222 (JAVA_VERSION="1.8.0_222")
see ..\MailServer\javaservices\jre\release
2. This version is not vulnerable for JNDI:
https://www.lunasec.io/docs/blog/log4j-zero-day/
Would really like to hear from GFI now!
The article linked in 2. states that the LDAP attack vector is not present in versions greater than those listed. Unfortunately this isn't the only attack vector present.
|
|
|
|
| Re: CVE-2021-44228 "Log4Shell" [message #150648 is a reply to message #150645] |
Mon, 13 December 2021 13:06 |
mzaidi
Messages: 120
Registered: April 2021
|
|
|
|
Hi,
The GFI Development team is aware of the vulnerability which has been announced on log4j.
Product vulnerability assessment and fix is being handled as our top priority at the moment. We don't have any evidence of this vulnerability having been exploited so far.
For more information and update, please contact the Technical support team by creating a support ticket on https://support.gfi.com.
|
|
|
|
| Re: CVE-2021-44228 "Log4Shell" [message #150649 is a reply to message #150639] |
Mon, 13 December 2021 13:11 |
robin.maier
Messages: 2
Registered: December 2021
|
|
|
|
boisbleu wrote on Mon, 13 December 2021 08:14
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Copy the file to another system, remove the class from the archive, rename the file on the server, copy the modified file to the server and restart the service.
Thank you, it looks like this workaround is working. At least KC is starting up without problems.
Two more questions:
1. Am I save against this vulnerabillity now, removing the above class from the jar file ?
2. How is this affecting any service of KC ?
|
|
|
|
|
|
|
|
| Re: CVE-2021-44228 "Log4Shell" [message #150652 is a reply to message #150650] |
Mon, 13 December 2021 14:17 |
areichmann
Messages: 120
Registered: December 2012
|
|
|
|
mistamilla wrote on Mon, 13 December 2021 13:12We solved it temporarily with following entry in logging.properties:
Go to
$KerioInstallDir/javaservices/jre/lib/logging.properties
# Log4J Mitigation 20211211
log4j2.formatMsgNoLookups=true
Reboot Kerio Connect Server.
Works only with log4j > 2.10 (kerio connect uses 2.5)
[Updated on: Mon, 13 December 2021 14:19] Report message to a moderator |
|
|
|
|
|
| Re: CVE-2021-44228 "Log4Shell" [message #150654 is a reply to message #150652] |
Mon, 13 December 2021 16:03 |
robin.maier
Messages: 2
Registered: December 2021
|
|
|
|
For those who are unsure....there is a log4j tester available --> https://github.com/mergebase/log4j-detector
Testing my modified log4j-core-2.5.jar file (zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class) gives me a:
javaservices\im\lib\log4j-core-2.5.jar contains Log4J-2.x <= 2.0-beta8 _POTENTIALLY_SAFE_ 
The original was detected as:
javaservices\im\lib\ORG___log4j-core-2.5.jar___ORG contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ 
I hope this will fix it until we get an update fomr GFI
|
|
|
|
|
|
| Re: CVE-2021-44228 "Log4Shell" [message #150658 is a reply to message #150651] |
Mon, 13 December 2021 19:43 |
Printery Technician
Messages: 2
Registered: January 2017
|
|
|
|
boisbleu wrote on Mon, 13 December 2021 14:06atgfi wrote on Mon, 13 December 2021 09:35Hello,
change following settings in mailserver.cfg from 1 to 0:
<table name="InstantMessaging">
...
<variable name="Enabled">0</variable>
...
</table>
<table name="WebIM">
...
<variable name="Enabled">0</variable>
...
</table>
Thanks for this! Together with
<table name="FullTextSearch">
<variable name="Enabled">0</variable>
and removing the class from the jar file my mailservers should be safe at the moment. 
Hi
Are you sure that FullTextSearch is using somewhat regarding ‚Log4j'? Because i didn't find anything within the /mailserver/javaservices/fulltext paths
|
|
|
|
|
|
|
|
|
|
| Re: CVE-2021-44228 "Log4Shell" [message #150696 is a reply to message #150692] |
Wed, 22 December 2021 08:19 |
Derek!
Messages: 1
Registered: December 2021
|
|
|
|
freakinvibe wrote on Tue, 21 December 2021 18:56
Apache log4j2 library upgrade to version 2.16.0 (fixing CVE-2021-44228 vulnerability)
Unfortunately, this version of log4j is also vulnerable (CVE-2021-45105). Hopefully GFI will release soon a new patch with log4j 2.17.0, because this is the only safe version right now.
|
|
|
|
Members
Search
Help
Register
Login
Home
