Apache developers have release log4j version 2.16.0: https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 They improved their fixes against security hole due to more stability and security than 2.15.0. Can you confirm, that 2.16.0 can also be applied?
1 Like
This would only occur if you used jms appender in your log4j config and have set the specific config outlined in your link,
Please read the link you have provided, it clearly states this:
Note this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker’s JMS Broker.
If the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker’s control.
@DFN_VC we’ve just tested the new log4j 2.16 release in the same way we migrated to 2.15 previously and did not have any issues, maybe best to wait for official statement on this from @Rose_Power-Wowza_Com
UPDATE:
Given this is a new vulnerability, we are continuing to investigate our initial mitigation steps I shared above as the accepted solution.
.
Please know I will have more information later today and will post immediately.
I am running Wowza 4.7.3, do I need to perform the fix?
I cannot tell what version of log4j it is using.
UPDATE: This is the OFFICIAL WOWZA UPDATED THREAD for both Streaming Engine and Streaming Engine Manager. Please read this Post only for newest information.
Hello,
There is an update for you regarding CVE-2021-44228 and CVE-2021-45046. Both CVEs are related to the 3rd party software Apache log4j version 2.0.x -2.15.x included in the Wowza Streaming Engine installer and updater beginning with version 4.8.8.01.
Note: Prior versions (4.8.5.05 and below) of Wowza Streaming Engine are not related to the CVEs reported above.
To help mitigate this issue we are providing you an updater and instructions in the “Known Issues” page link below:
https://www.wowza.com/docs/known-issues-with-wowza-streaming-engine#log4j2-cve
We take the security of our customers and our products as a top priority. If you have any questions on how to implement these mitigation steps please do not hesitate to reply to this message.
FAQs
Q: I’ve applied the mitigation fix. How do I know if it works?
A: Wowza has verified after running the updater that there are no current issues when scanning the server. Replacing the files meet the required mitigation action needed according to Apache.
Q: I am running a version prior to 4.8.8.01. Do I need to do anything?
A: Prior versions of Wowza Streaming Engine (before 4.8.8.01) do not run Apache log4j version 2.x.x and are therefore not considered an issue with regard to CVE-2021-44228 or CVE-2021-45046
Q: I see Apache has released log4j version 2.16. Can I update to that version instead?
A: The provided updater we have linked to above includes the latest Apache log4j v2.16 version. We encourage you to use the updater as the files are located in more than one Wowza Streaming Engine directory.
Q: Do I have to update my Wowza Streaming Engine deployment?
A: No. This mitigation does not require you to update to a later version of Wowza Streaming Engine. The action required is to update the Apache log4j core and log4j api files via the provided updater.
Thank you for your patience as we addressed this serious matter and thank you for choosing Wowza!
ANOTHER UPDATE 12/16/21: ZIP COMMAND
For those of you asking about the zip command issue:
We’ve updated the scripts to fall back to the java version if zip isn’t installed, and we’ve also changed it to expect to be run from the [install-dir]/updates/log4juapdater folder if WSE isn’t in the default location or the WMSAPP_HOME env var isn’t set (this is the same as how our normal updaters work so it should be familiar).
You can can see the steps for this here:
https://www.wowza.com/docs/update-for-apache-log4j2-security-vulnerability
And it should look like this:
Extract the .zip file contents of the updater to a subdirectory in the [install-dir ]/updates directory, where [install-dir] is the install directory of Wowza Streaming Engine.
NEW UPDATE: 12/20/21
ATTN : The Streaming Engine updater uses the latest Apache Log4j v2.17 files. Wowza has verified after running the updater that there are no current issues when scanning the server and that it meets the required mitigation action according to Apache.
A new version of Engine is coming soon, but this situation keeps changing so please use the updater for now. I’ll keep you posted on the new Engine release and the latest info from Apache.
https://www.wowza.com/docs/update-for-apache-log4j2-security-vulnerability
2 Likes
Thanks for the updater, seems to work nicely.
I guess you are going to publish a new release/patch for the WSE as well? Right now the latest updater to v4.8.16+1 installs the vulnerable log4j version 2.13, so that I now had two versions of log4j in the lib folder…
1 Like
Correct! In the works right now and I will once again post when I have the release details for next version of Streaming Engine. Great question to ask, thanks @Bernhard_Schmidt
Hi, the fix generates the following errors.
It’s normal?
where am i wrong?
thx!
gestione@WowzaStreaming:/usr/local/WowzaStreamingEngine/updates/updatelog4j$ sudo ./updatelog4j.sh
Verifying running as administrative user
updating /usr/local/WowzaStreamingEngine/lib
deleteing /usr/local/WowzaStreamingEngine/lib/log4j-api-2.16.0.jar
copying ./log4j-api-2.16.0.jar to /usr/local/WowzaStreamingEngine/lib/
deleteing /usr/local/WowzaStreamingEngine/lib/log4j-core-2.16.0.jar
copying ./log4j-core-2.16.0.jar to /usr/local/WowzaStreamingEngine/lib/
updating /usr/local/WowzaStreamingEngine/manager/lib/WMSManager.war
./updatelog4j.sh: riga 63: zip: comando non trovato
./updatelog4j.sh: riga 64: zip: comando non trovato
./updatelog4j.sh: riga 71: zip: comando non trovato
./updatelog4j.sh: riga 72: zip: comando non trovato
Update Complete. Please restart services
gestione@WowzaStreaming:/usr/local/WowzaStreamingEngine/updates/updatelog4j$
I too saw that, in english, on our linux wowza server.
Hi, @Piero_Ragazzini
I also had the same errors.
If zip command was not installed, I think that updatelog4j.sh doedn’t work properly.
I installed zip into OS, then executed updatelog4j.sh again.
1 Like
solved thanks to your advice! thank you
are you investigating earlier versions of log4j 1.X and vulnerability CVE-2021-4104 ? thank you
Thank you for posting about the zip command and we did get this updated as well!
I’m trying to keep all the updates in this thread in one place for “accepted solution” so let me add this new update to the green checkmark solution post.
No we are nor @Pedro_Costa
Unless the customer has changed the default settings of the JMSAppender (which we do not even use), we are not exposed to this CVE. If you have concerns, please update to 4.8.8.01 or higher.
Please send a support ticket for the engineers to review @Piero_Ragazzini . Not sure if it’s wrong or something in your server environment, but technical support can help you resolve it.
Installing zip with ‘apt install zip’ took care of those errors for me that Piero_Ragazzini was referring to.
Important: Security Vulnerability CVE-2021-45105
The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up.
Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
