Insights Hub Critical vulnerability (log4shell) in Apache Log4j library (CVE-2021-44228)

You are concerned regarding the critical vulnerability in the Apache Log4j library, also known as Log4Shell. What do I need to know? Do I have to do anything myself? How do I know if I am affected? 

A critical vulnerability in Apache Log4j library (CVE-2021-44228) was published on December 9, 2021.

Insights Hub (formerly known as MindSphere) has patched the overall platform including the underlying Cloud Foundry system. 

If you are a developer or an operator of an application that uses the Java buildpack in Cloud Foundry, you will need to take action.

As a new JAVA buildpack has been released which fixes the vulnerability, you need to upgrade to the latest Java buildpack:

Please check in your dependencies and your third-party libraries if you use log4j:

If yes, please check if you use the vulnerable version 2.X. -> 2.16.X

If yes, an upgrade to a non-vulnerable version is required: version 2.15.0 2.16.0  2.17.0 or higher

You can use the new buildpack by restaging your application: 

cf restage ADD_APP_NAME_HERE

If you use a version 2.10.X – 2.14.X the following workaround is available in case an upgrade is currently not feasible:

Change the environment variable:

cf set-env ADD_APP_NAME_HERE LOG4J_FORMAT_MSG_NO_LOOKUPS true

cf restart ADD_APP_NAME_HERE

Update Jan 12, 2022:

• CVE-2021-44832 was published on Dec 28, 2021 with a base score of 6.6.

Insights Hub (formerly known as MindSphere) is applying patches to ensure the overall security of the platform. We recommend for customers using the Java buildback in CloudFoundry to upgrade to a non-vulnerable version (2.17.1 or higher). We keep monitoring the situation and continuously apply patches based on our secure development process.

We also recommend to follow updates on https://logging.apache.org/log4j/2.x/security.html

Update Dec 17, 2021:

• CVE-2021-45046 (that was raised against Apache Log4j version 2.15.0 and it was fixed in 2.16.0) score has been upgraded from 3.7 to 9 .
• CVE-2021-45105 found in Apache Log4j version 2.16.0 allows DoS attacks. It was fixed with 2.17.0 and rated with 7.5 (high) score.

We recommend all customers to upgrade to the latest Apache log4j version.

Update Dec 16, 2021:

In order to keep the platforms secure and reliable, we require a maintenance window: AWS, ALI & Azure Date: 17th December 2021 09:00 – 10:00 AM CET This maintenance process will not have an impact on any of the CloudFoundry and Insights Hub (formerly known as MindSphere) functionalities. However, there can be a partial downtime for a very short period of time due to service restart.

Please note customers using the Mendix buildpack should also review their application and upgrade to log4j version 2.16.0, for more information regarding Mendix can be found here: https://status.mendix.com/incidents/8j5043my610c

Update Dec 15, 2021: 

A new CVE for Apache Log4j library (CVE-2021-45046) was published on December 14, 2021.

1. The mentioned LOG4J_FORMAT_MSG_NO_LOOKUPS approach is considered insufficient from maintainer perspective. Although the risk is reduced by it there is still the possibility that under certain circumstances the exploit could be abused. 
2. Version 2.15 is so far considered secure in our understanding although this might change.
3. Version 2.15 still has a open vulnerability that could cause an denial of service attack against the application therefore the maintainer released 2.16

Notes

Additional information about the vulnerabilities can be found here:

https://www.wired.com/story/log4j-flaw-hacking-internet/

https://logging.apache.org/log4j/2.x/security.html

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

https://nvd.nist.gov/vuln/detail/CVE-2021-45105

https://nvd.nist.gov/vuln/detail/CVE-2021-44832