Log4j RCE

Overview

This article addresses the recent Log4j RCE.

Refer to the following links for more information:

• https://logging.apache.org/log4j/2.x/security.html
• https://usa.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/25936/
• https://stackoverflow.com/questions/70315727/where-to-put-formatmsgnolookups-in-log4j-xml-config-file

Log4j and SFTP Gateway

SFTP Gateway v3 uses logback for logging purposes, rather than log4j.

That being said, the following jar exists on SFTP Gateway:

BOOT-INF/lib/log4j-api-2.17.1.jar   

This version falls outside the vulnerable version range:

2.0 <= Apache log4j <= 2.14.1

But more importantly, we are only using the log4j-api and NOT the core log4j-core.

According to this article: https://logging.apache.org/log4j/2.x/security.html

The versions affected are the core versions:

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1

SFTP Gateway does not include log4j-core, because it does not use log4j.

SFTP Gateway uses logback for logging purposes. We use a library called slf4j to translate log4j API calls to logback. So, only the log4j-api jar is included in SFTP Gateway.

Log4j apt package

On Google Cloud, we use Ubuntu 20.04. And the log4j apt package is not installed.

[root@ip-172-31-4-141 sftpgw]# apt list installed log4j
Listing... Done