Schlagwörter: 

Ansicht von 2 Antwort-Themen
  • Autor
    Beiträge
    • #12365
      Grit Rother
      Administrator

        We have summarised our findings regarding OTOBO and the Log4J Zero Day Vulnerability in an article on

        https://otobo.de/de/otobo-und-cve-2021-44228/   -> German

        https://otobo.de/en/otobo-and-cve-2021-44228/ -> English

         

      • #12380
        Christof Kihm
        Teilnehmer

          Hello alltogether,

          using a detection tool on github (https://github.com/logpresso/CVE-2021-44228-Scanner)

          (there are many others, please see https://www.heise.de/forum/heise-online/Kommentare/Erpressergruppe-Conti-nutzt-Sicherheitsluecke-Log4Shell-fuer-ihre-Ransomware/Re-wie-pruefen/posting-40175798/show/)

          I get the following results on a openSUSE OTOBO docker instllation (before doing the http://yourIPorFQDN/otobo/installer.pl installation):

          **************************************************************************************************

          sudo ./log4j2-scan /
          Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.7 (2021-12-20)
          Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/1026, /var/lib/docker/containers/d9de95f99ac2a883d8becb4f58041707545946f2234201a220281eab11b1db65/mounts/shm, /var/lib/docker/containers/d9de95f99ac2a883d8becb4f58041707545946f2234201a220281eab11b1db65/mounts/secrets, /var/lib/docker/containers/d1eb0f981778f633cfee1ae975f947ac78df71b158068f4dab58da54d7508ec1/mounts/shm, /var/lib/docker/containers/d1eb0f981778f633cfee1ae975f947ac78df71b158068f4dab58da54d7508ec1/mounts/secrets, /var/lib/docker/containers/3d7a9ba83f30176e0416d4268824b6f1ecda3a0be23dce020d63b4a60730a701/mounts/shm, /var/lib/docker/containers/3d7a9ba83f30176e0416d4268824b6f1ecda3a0be23dce020d63b4a60730a701/mounts/secrets, /var/lib/docker/containers/9dd2420bee0c29ffc2022f1fa57140a6a4a81b62824a361a17d105099bbda44b/mounts/shm, /var/lib/docker/containers/9dd2420bee0c29ffc2022f1fa57140a6a4a81b62824a361a17d105099bbda44b/mounts/secrets, /var/lib/docker/containers/a6716382af446e7395bc5d623e6638df4bada84e591111d12f03fa8167a1f35f/mounts/shm, /var/lib/docker/containers/a6716382af446e7395bc5d623e6638df4bada84e591111d12f03fa8167a1f35f/mounts/secrets)
          [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/5b15f51093f1016bce3374b0dae0d92077b477f5eed7fed0905bd8c93fb44372/merged/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.1.jar, log4j 2.11.1
          [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/5b15f51093f1016bce3374b0dae0d92077b477f5eed7fed0905bd8c93fb44372/merged/usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.1.jar, log4j 2.11.1 (mitigated)
          [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a28a59356b3ebcc6425ea068d1719fe09f6960efaddad056f380addb9449ecc1/diff/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.1.jar, log4j 2.11.1
          Running scan (10s): scanned 22295 directories, 158438 files, last visit: /var/lib/docker/overlay2/a28a59356b3ebcc6425ea068d1719fe09f6960efaddad056f380addb9449ecc1/diff/usr/share/elasticsearch/bin
          [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a28a59356b3ebcc6425ea068d1719fe09f6960efaddad056f380addb9449ecc1/diff/usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.1.jar, log4j 2.11.1 (mitigated)
          [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /home/cki/D_IWS022/bin/arduino/lib/log4j-core-2.12.0.jar, log4j 2.12.0

          Scanned 870361 directories and 11975419 files
          Found 3 vulnerable files
          Found 0 potentially vulnerable files
          Found 2 mitigated files
          Completed in 307.25 seconds

          **************************************************************************************************

          So the log4j files are classified as vulnerable and mitigated. Seems there is no direct dangerous attack exspectable. But who knows!

          In my oppinion the just published Log4j 2.17.0 from Apache should be implemented asap.

           

          Thanks to all devs for their efforts,

          Regards,

          Christof

        • #12382
          Sven Oesterling
          Administrator

            Hi Christof,

            as discussed in the linked articles for OTOBO only Elasticsearch uses log4j (as you also can see in the output of your scan). For various reasons (the Java Security Manager and our before used version of Elasticsearch and JDK – please read this detailed article of the Elastic team: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476) our setup allegedly was never vulnerable to any of the attacks, but with the 10.0.14 release of last week we implemented Elastics general security patch from last week (7.16.1), which still uses the old log4j libraries but explicitely prevents the functionalities on which the attacks are based. We plan to release a new version based on 7.16.2 of Elasticsearch which came out yesterday and implements log4j 2.17.0 within this week. If you feel in doubt you can easily stop the Elasticsearch container before installation, or after it, as also explained in the articles cited by Grit, until our second patch comes out.

            Best regards, Sven

        Ansicht von 2 Antwort-Themen
        • Du musst angemeldet sein, um auf dieses Thema antworten zu können.