Log4j RCE
Overview
This article addresses the recent Log4j RCE.
Refer to the following links for more information:
- https://logging.apache.org/log4j/2.x/security.html
- https://usa.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/25936/
- https://stackoverflow.com/questions/70315727/where-to-put-formatmsgnolookups-in-log4j-xml-config-file
Log4j and SFTP Gateway
SFTP Gateway v2 and v3 use logback
for logging purposes, rather than log4j
.
That being said, the following jar exists on SFTP Gateway:
BOOT-INF/lib/log4j-api-2.12.1.jar # on SFTP Gateway v2
BOOT-INF/lib/log4j-api-2.14.1.jar # on SFTP Gateway v3
At first glance, it may appear that the version of log4j
falls within the vulnerable version range:
2.0 <= Apache log4j <= 2.14.1
However, we are only using the log4j-api
and NOT the core log4j-core
.
According to this article: https://logging.apache.org/log4j/2.x/security.html
The versions affected are the core
versions:
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
SFTP Gateway does not include log4j-core
, because it does not use log4j
.
SFTP Gateway uses logback
for logging purposes.
We use a library called slf4j
to translate log4j
API calls to logback
.
So, only the log4j-api
jar is included in SFTP Gateway.
Log4j yum package
On Azure, we use CentOS 8. And the log4j
yum package is not installed.
On AWS, we use Amazon Linux 2, which includes the log4j
yum package.
[root@ip-172-31-4-141 sftpgw]# yum list installed log4j
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
218 packages excluded due to repository priority protections
Available Packages
log4j.noarch 1.2.17-16.amzn2 amzn2-core
However, this is version 1.2.17
, and does not fall within the vulnerable version range:
2.0 <= Apache log4j <= 2.14.1
Refer to this article regarding Amazon Linux 2 and log4j
:
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/