Is ConfD susceptible to log4j 2 JNDI exploit

judegeorge · December 10, 2021, 6:28pm

An exploit has been discovered in log4j 2 versions before 2.15.0 (which has just been released).
This exploit is possible when using JNDI.

ConfD 7.3.2 requires and includes log4j 2.11.1. Is ConfD susceptible to this exploit? My thinking is that ConfD probably does not use JNDI or LDAP internally, but I am asking just to be sure.

Thank you.

judegeorge · December 10, 2021, 11:59pm

It doesn’t appear that ConfD itself needs the log4j2 jars, but rather only by the examples, which have log4j2.xml config files.

We run the conf-api.jar with our Java code in our JVM, but we don’t put the ConfD-supplied log4j 2.x jars in the classpath. Can you confirm whether log4j2 is not needed for anything other than the Tail-f supplied examples?

cohult · December 11, 2021, 8:57am

The Java API is delivered in its own tarball and the source code is shipped with it under java/jar/conf-api-src-$(confd --version).jar.
Use jar xvf conf-api-src-$(confd --version).jar to inflate.

You will notice that the Java API uses log4j to print log messages.

You can do the upgrade yourself right now if you wish:

$ cd $CONFD_DIR/java/jar #if you extracted the ConfD Java API tarball to the default location
$ rm log4j-*.jar
# Download the log4j 2 2.15.0 release to for example your /tmp folder
$ cp /tmp/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar .;cp /tmp/apache-log4j-2.15.0-bin/log4j-api-2.15.0.jar .
$ cp log4j-core-2.15.0.jar log4j-core.jar; cp log4j-api-2.15.0.jar log4j-api.jar

judegeorge · December 11, 2021, 5:37pm

Conny, thank you, this is very helpful. We are already in the process of updating our own log4j to 2.15.0, so we will try it out with our existing conf-api.jar.

judegeorge · December 13, 2021, 8:59pm

Just one final question about the conf-api.jar’s use of log4j. I examined the sources to ConfD’s 7.3.2 conf-api.jar as you have suggested, and I see that all the import statements look like they are using the log4j 1.x API:

import org.apache.log4j.Logger;

Rather than using the log4j 2 APIs:

import org.apache.logging.log4j.Logger;

Yet, the log4j 2.11 jars are shipped in the ConfD java distribution. Is conf-api.jar using log4j 2.11 jar in a compatibility mode? Or perhaps I have not examined this properly.

cohult · December 13, 2021, 9:41pm

See the log4j.jar for a log4j API wrapper of log4j2:

$ jar xvf log4j.jar
$ cat org/apache/log4j/Logger.java
... 
 * Wrapper for Log4J Logger
 * This class has been modified from its original version.
 * The purpose of this wrapper is to provide a log4j API towards the
 * log4j2 implementation for backwards compatibility.
...

judegeorge · December 13, 2021, 10:09pm

Thank you. That clears up my confusion as to how you are using log4j 2.x with the conf-api.jar.

cohult · December 15, 2021, 11:41am

Simple shell script for upgrading log4j 2: