Log4j critical vulnerability CVE-2021-44228 does not affect IMiS ARChive servers

Product:	IMiS/ARChive
Release:	All
Date:	12/15/2021

Case:

Critical vulnerability CVE-2021-44228 in Log4j library was recently discovered which allows an attacker who can control log messages or its parameters remote code execution from LDAP servers, if message lookup substitution is enabled. IMiS ARChive servers are not affected by this vulnerability because Log4j is not used during server operations.

Description:

Critical vulnerability CVE-2021-44228 in Log4j library allow an attacker remote code execution from LDAP servers if message lookup substitution is enabled. Since IMiS ARChive server does not use Log4j library during its operations, this vulnerability does not affect it. Jar files are located in server installation directory under "jvm/lib/ext/" and can be checked with provided script. IMiS ARChive server 10.1.2010 may contain vulnerable Log4j library, which is part of Lucene 8.6.2 bundle and is used by "lucene-luke-8.6.2.jar" which is a tool for introspecting full text index. Since this tool is not actively used by IMiS ARChive server it does not represent vulnerability to the server. Next jars can also be removed without affecting full text index operations:

log4j-api-2.13.2.jar
log4j-core-2.13.2.jar
lucene-luke-8.6.2.jar

CVE-2021-44228 can also be disabled by applying "log4j2.formatMsgNoLookups=true" to "JVMOptions" in server configuration file (default location is "/etc/iarc.conf").

JVMOptions example:

JVMOptions=-Xmx4g::-Dlog4j2.formatMsgNoLookups=true

Linux script for CVE-2021-44228 vulnerability search (it uses default server installation path "/opt/IS/imisarc"):

find /opt/IS/imisarc/jvm/lib/ext/ -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class && echo {}" \;