13.12.2021 – last updated: 17.12.21
OTOBO and the Log4j Vulnerability / Log4Shell
Apache Log4j2 Remote Code Execution (RCE) Vulnerability
CVE-2021-44228 – ESA-2021-31 (CVE-2021-45046 at the end)
A high severity vulnerability within the Apache log4j logging library can potentially be used by hackers to take over entire servers via logging messages. Is OTOBO affected by the Log4j Zero Day Vulnerability?
We have analysed the situation at hand and have reached the following, preliminary, conclusions:
- Within the OTOBO application array, only Elasticearch uses Log4Shell and could thus potentially be affected.
- Based on current statements from Elasticsearch, OTOBO is principally not susceptible to the severe security threats (remote code execution, data leakage).
The central sentence in this context: „Supported Versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage.“ (see the Elasticsearch statement)
OTOBO uses JDK 16, and Elasticsearch 7.14+ since release of the first OTOBO Beta.
- In manually installed instances using Elasticsearch with OpenJDK 8, .env data could possibly be leaked to a limited extent.
OTOBO Docker environment
Our OTOBO Docker-Compose evironment is NOT affected as far as we know, as Java JDK 16 is used there.
Manual OTOBO installations with Apache2
Elasticsearch 6 and 7 use Java Security Manager and are thus NOT affected by Remote Code Execution via this vulnerability.
Elasticsearch run under JDK8 or lower is susceptible to an information leak via DNS, which can be remedied by the following JVM property:
=> Set the JVM option Dlog4j2.formatMsgNoLookups=true
How to deactivate Elasticsearch in OTOBO
In case you want to deactivate Elasticsearch, you can do so any time without affecting general system funtioning. The Elasticsearch functionality only will no longer be available. The "normal" search and other system features are available as usual.
Please proceed as follows to deactivate:
- Navigate to Admin -> System Configuration and deactivate the option „Elasticsearch::Active“.
- Go to -> Web services and set the web service"Elasticsearch" to inactive.
- Stop the Elasticsearch service
New Patch with latest Elasticsearch version – OTOBO 10.0.14
Even though OTOBO generally does not seem to be affected by the Log4j Zero Day Vulnerability (read our summarised findings in this article), we updated to the latest Elasticsearch version, "which contains the JVM property by default and removes certain components of Log4j out of an abundance of caution" (source: Elastic)
New vulnerability CVE-2021-45046
Elastic's guidance for Elasticsearch remains unchanged after disclosure of the second vulnerability. There's no change to the foregoing for OTOBO either, therefore.
Original text from Elastic: „Update 15 December
A further vulnerability (CVE-2021-45046) was disclosed on December 14th after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Our guidance for Elasticsearch, APM Java Agent, and Logstash are unchanged by this new vulnerability.“ (source: Elastic)