Log4j RCE
Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.
Overview
This article addresses the recent Log4j RCE.
Refer to the following links for more information:
- https://logging.apache.org/log4j/2.x/security.html
- https://usa.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/25936/
- https://stackoverflow.com/questions/70315727/where-to-put-formatmsgnolookups-in-log4j-xml-config-file
Log4j and SFTP Gateway
SFTP Gateway v2 and v3 use logback for logging purposes, rather than log4j.
That being said, the following jar exists on SFTP Gateway:
BOOT-INF/lib/log4j-api-2.12.1.jar # on SFTP Gateway v2
BOOT-INF/lib/log4j-api-2.14.1.jar # on SFTP Gateway v3
At first glance, it may appear that the version of log4j falls within the vulnerable version range:
2.0 <= Apache log4j <= 2.14.1
However, we are only using the log4j-api and NOT the core log4j-core.
According to this article: https://logging.apache.org/log4j/2.x/security.html
The versions affected are the core versions:
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
SFTP Gateway does not include log4j-core, because it does not use log4j.
SFTP Gateway uses logback for logging purposes.
We use a library called slf4j to translate log4j API calls to logback.
So, only the log4j-api jar is included in SFTP Gateway.
Log4j yum package
On Azure, we use CentOS 8. And the log4j yum package is not installed.
On AWS, we use Amazon Linux 2, which includes the log4j yum package.
[root@ip-172-31-4-141 sftpgw]# yum list installed log4j
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
218 packages excluded due to repository priority protections
Available Packages
log4j.noarch 1.2.17-16.amzn2 amzn2-core
However, this is version 1.2.17, and does not fall within the vulnerable version range:
2.0 <= Apache log4j <= 2.14.1
Refer to this article regarding Amazon Linux 2 and log4j:
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/