Log4j RCE
Overview
This article addresses the recent Log4j RCE.
Refer to the following links for more information:
- https://logging.apache.org/log4j/2.x/security.html
- https://usa.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/25936/
- https://stackoverflow.com/questions/70315727/where-to-put-formatmsgnolookups-in-log4j-xml-config-file
Log4j and SFTP Gateway
SFTP Gateway v2 and v3 use logback
for logging purposes, rather than log4j
.
That being said, the following jar exists on SFTP Gateway:
BOOT-INF/lib/log4j-api-2.12.1.jar # on SFTP Gateway v2
BOOT-INF/lib/log4j-api-2.14.1.jar # on SFTP Gateway v3
BOOT-INF/lib/log4j-api-2.17.1.jar # on SFTP Gateway v3.2.1
At first glance, it may appear that the version of log4j
falls within the vulnerable version range:
2.0 <= Apache log4j <= 2.14.1
However, we are only using the log4j-api
and NOT the core log4j-core
.
According to this article: https://logging.apache.org/log4j/2.x/security.html
The versions affected are the core
versions:
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
SFTP Gateway does not include log4j-core
, because it does not use log4j
.
SFTP Gateway uses logback
for logging purposes.
We use a library called slf4j
to translate log4j
API calls to logback
.
So, only the log4j-api
jar is included in SFTP Gateway.
Log4j yum package
On SFTP Gateway version 3.2.1, we use Ubuntu 20.04. And the log4j
apt package is not installed.
[root@ip-172-31-4-141 sftpgw]# apt list installed log4j
Listing... Done