GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Impact of Log4j vulnerability on GFI (CVE-2021-44228)
Impact of Log4j vulnerability on GFI [message #150660] Tue, 14 December 2021 00:54 Go to next message
srazvan is currently offline  srazvan
Messages: 9
Registered: September 2021
A new 0-day vulnerability, formally known as CVE-2021-44228, was published on the NIST National Vulnerability Database on Friday, December 10. It is found in the Log4j Java library.

Log4j is a popular open source logging library made by the Apache Software Foundation. The security vulnerability found in Log4j allows hackers to execute remote commands on a target system. The severity of the vulnerability is classified as "Critical" by NIST.

How are GFI products impacted?
The GFI development team is reviewing our products for use of Log4j.

A function of Kerio Connect utilizes Log4j, and a recommended mitigation is identified below.

If we identify any additional recommended mitigations, we will provide a follow up communication. Additional information, when available, will also be posted on https://techtalk.gfi.com/impact-of-log4j-vulnerability-on-gfi/.

Kerio Connect vulnerability mitigation
Log4j is used in Kerio Connect as part of the chat function. We recommend that all Kerio Connect users temporarily disable the chat function in the software.

To disable chat in Kerio Connect:
    Go to Configuration
    Click on Domains
    Double-click on the desired domain
    Find the "Chat" section on the General tab
    Deselect the "Enable chat in Kerio Connect Client." option
    Repeat the above steps for all of your email domains
Kerio Connect security hotfix
Work has already started on a security hotfix for Kerio Connect. We intend to deliver a public release in the next few days.

We will send a follow-up notification to all Kerio Connect customers at your registered email when the release is available.


GFI Customer Support Edge Team
Re: Impact of Log4j vulnerability on GFI [message #150662 is a reply to message #150660] Tue, 14 December 2021 10:38 Go to previous messageGo to next message
Backspin is currently offline  Backspin
Messages: 122
Registered: June 2008
Location: Amsterdam, the Netherland...
Thank you for finally posting some information from GFI's end.

I have one question: Kerio Connect is using a vulnerable version of log4j.
However, it is also using OpenJDK version 1.8.0_222.

On this page, it says that "If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

Can you tell us if this is the case in OpenJDK 1.8.0_222 used in Kerio Connect? Because then Connect would not be vulnerable, would it?

Edit: never mind, all versions seem vulnerable now: https://twitter.com/marcioalm/status/1470361495405875200



[Updated on: Tue, 14 December 2021 10:44]

Report message to a moderator

Re: Impact of Log4j vulnerability on GFI [message #150663 is a reply to message #150662] Tue, 14 December 2021 11:28 Go to previous messageGo to next message
Backspin is currently offline  Backspin
Messages: 122
Registered: June 2008
Location: Amsterdam, the Netherland...
Still have some more questions: disabling Chat for every domain leaves java/log4j still running, as can be seen with 'lsof|grep log4j' on linux servers. Even after a reboot.

Does this mean there is still some way to attack log4j? Or was Connect only vulnerable for logged-in users for domains that had chat enabled?


Re: Impact of Log4j vulnerability on GFI [message #150665 is a reply to message #150663] Tue, 14 December 2021 16:15 Go to previous messageGo to next message
srazvan is currently offline  srazvan
Messages: 9
Registered: September 2021
Thank you for the question. It can be a concern that the service is still running.
Even with it running, there are no endpoints from our investigation that leaves Connect vulnerable, because that particular library is accessible when clients authenticate through chat.

We hope to have the new release with the updated library soon.


GFI Customer Support Edge Team
Re: Impact of Log4j vulnerability on GFI [message #150666 is a reply to message #150665] Tue, 14 December 2021 17:14 Go to previous messageGo to next message
Backspin is currently offline  Backspin
Messages: 122
Registered: June 2008
Location: Amsterdam, the Netherland...
Thanks again for keeping us informed.

One last question: if I understand correctly, Kerio Connect was only vulnerable for requests from authenticated clients? And not for hackers requesting specific chat-related urls from Connect without being authenticated?

Reason I'm asking is there are over 3 days before this GFI-information was posted and we could take action. If the chat-function was vulnerable for non-authenticated users over the last 3 days, I can't guarantee the integrity of the servers we manage.
If it was only vulnerable from authenticated users this greatly reduces the possibility that the log4j vulnerability was used to hack a server.


Re: Impact of Log4j vulnerability on GFI [message #150668 is a reply to message #150666] Tue, 14 December 2021 22:49 Go to previous messageGo to next message
AndreasL is currently offline  AndreasL
Messages: 115
Registered: July 2008
Location: Germany
I have informations from my distributor how to delete spezific parts from log4j-core-*.jar
The how-to is different in every opration system but work like this:
Stop kerio connect
find the file and make a backup
You have to open the file and delete org/apache/logging/log4j/core/lookup/JndiLookup.class inside the file
Start kerio connect

I cannot copy/paste the instructions without permissions but this could give you a clue what to do. I do this under windows and my kerio work with disabled chat as it should. So I can wait for the official patch to resolve the issure. For windows system you can follow this link and take a look to point 7:
https://nakedsecurity.sophos.com/2021/12/13/log4shell-explai ned-how-it-works-why-you-need-to-know-and-how-to-fix-it/

[Updated on: Tue, 14 December 2021 22:51]

Report message to a moderator

Re: Impact of Log4j vulnerability on GFI [message #150669 is a reply to message #150665] Wed, 15 December 2021 00:37 Go to previous messageGo to next message
blackbox is currently offline  blackbox
Messages: 46
Registered: May 2006
srazvan wrote on Tue, 14 December 2021 10:15
Thank you for the question. It can be a concern that the service is still running.
Even with it running, there are no endpoints from our investigation that leaves Connect vulnerable, because that particular library is accessible when clients authenticate through chat.

We hope to have the new release with the updated library soon.

To make sure I understand, the suggestion is that Kerio Connect's log4j vulnerability is only exploitable when executed within an authenticated chat session? Unauthenticated users aren't able to exploit Kerio Connect's log4j implementation?
Re: Impact of Log4j vulnerability on GFI [message #150678 is a reply to message #150669] Wed, 15 December 2021 19:45 Go to previous messageGo to next message
srazvan is currently offline  srazvan
Messages: 9
Registered: September 2021
blackbox wrote on Wed, 15 December 2021 01:37
srazvan wrote on Tue, 14 December 2021 10:15
Thank you for the question. It can be a concern that the service is still running.
Even with it running, there are no endpoints from our investigation that leaves Connect vulnerable, because that particular library is accessible when clients authenticate through chat.

We hope to have the new release with the updated library soon.
To make sure I understand, the suggestion is that Kerio Connect's log4j vulnerability is only exploitable when executed within an authenticated chat session? Unauthenticated users aren't able to exploit Kerio Connect's log4j implementation?
From current testing, I don't see an indication that an unauthenticated user can exploit Connect.


GFI Customer Support Edge Team
Re: Impact of Log4j vulnerability on GFI [message #150688 is a reply to message #150660] Tue, 21 December 2021 14:22 Go to previous messageGo to next message
srazvan is currently offline  srazvan
Messages: 9
Registered: September 2021
Update 2021. 12. 21

We are pleased to announce that Kerio Connect 9.3.1p2 is available. This security release addresses the vulnerability related to Log4j, formally known as CVE-2021-44228.

Release notes:

Apache log4j2 library upgrade to version 2.16.0 (fixing CVE-2021-44228 vulnerability)
The new version can be downloaded from the GFI Upgrade Center.

We recommend that all Kerio Connect customers install version 9.3.1p2 as soon as possible.

Once Kerio Connect 9.3.1p2 is deployed, the chat function can be safely re-enabled.


*Source


GFI Customer Support Edge Team
Re: Impact of Log4j vulnerability on GFI [message #150689 is a reply to message #150688] Tue, 21 December 2021 15:19 Go to previous messageGo to next message
PPG is currently offline  PPG
Messages: 165
Registered: February 2010
Thanks, but what about https://www.bleepingcomputer.com/news/security/upgraded-to-l og4j-216-surprise-theres-a-217-fixing-dos/ ??
Re: Impact of Log4j vulnerability on GFI [message #150694 is a reply to message #150689] Wed, 22 December 2021 02:29 Go to previous messageGo to next message
MacLab is currently offline  MacLab
Messages: 230
Registered: May 2012
I upgraded one server and the XMPP service will not stay running. Seeing this in logs.

21/Dec/2021 20:25:14] IM external process is not responding or is not running, closing all client sessions...
[21/Dec/2021 20:25:14] IM external process is not responding or is not running, trying to start it again...
[21/Dec/2021 20:27:24] IM external process is not responding or is not running, closing all client sessions...
[21/Dec/2021 20:27:24] IM external process is not responding or is not running, trying to start it again...

And found this in the error log

[21/Dec/2021 20:20:06] HealthMonitor.cpp: Problem has occured in the 'XMPP Server' component. 5 failures has been found. Component is paused for another 5 minutes. Enable 'XMPP Server' debug logging and inspect the log for more details.
[21/Dec/2021 20:32:46] HealthMonitor.cpp: Problem has occured in the 'XMPP Server' component. 5 failures has been found. Component is paused for another 5 minutes. Enable 'XMPP Server' debug logging and inspect the log for more details.


MacLab, Inc.
Kerio Certified Partner, Mac MSP
http://maclaboratory.com

[Updated on: Wed, 22 December 2021 02:34]

Report message to a moderator

Re: Impact of Log4j vulnerability on GFI [message #150695 is a reply to message #150694] Wed, 22 December 2021 03:02 Go to previous messageGo to next message
MacLab is currently offline  MacLab
Messages: 230
Registered: May 2012
Downgraded to previous version and problems went away. For what it's worth, this is on Mac platform.

MacLab, Inc.
Kerio Certified Partner, Mac MSP
http://maclaboratory.com
Re: Impact of Log4j vulnerability on GFI [message #150697 is a reply to message #150695] Wed, 22 December 2021 08:52 Go to previous messageGo to next message
Macoperator is currently offline  Macoperator
Messages: 15
Registered: January 2014
Location: Germany
I have the same issue! The XMPP server also fails to run with these error messages on my Kerio Connect server after the Log4J patch update. We should open a ticket!
Re: Impact of Log4j vulnerability on GFI [message #150698 is a reply to message #150697] Wed, 22 December 2021 09:16 Go to previous messageGo to next message
Momitsu is currently offline  Momitsu
Messages: 1
Registered: December 2021
Same problem here after patching a Windows server
Re: Impact of Log4j vulnerability on GFI [message #150699 is a reply to message #150698] Wed, 22 December 2021 12:58 Go to previous messageGo to previous message
MacLab is currently offline  MacLab
Messages: 230
Registered: May 2012
Guess we will look forward to p3. In the meantime I will stay with the patch of leaving chat off.

MacLab, Inc.
Kerio Certified Partner, Mac MSP
http://maclaboratory.com
Previous Topic: eM Client 9.1 give error with EWS
Next Topic: Technical Support for KerioConnect
Goto Forum:
  


Current Time: Wed Sep 28 08:07:37 CEST 2022

Total time taken to generate the page: 0.02713 seconds