{"id":17003,"date":"2021-12-17T11:04:21","date_gmt":"2021-12-17T10:04:21","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/"},"modified":"2021-12-17T11:04:21","modified_gmt":"2021-12-17T10:04:21","slug":"log4shell-how-to-analyse-and-mitigate","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/","title":{"rendered":"log4shell: Determine affection, mitigate, example: Oracle Unified Directory"},"content":{"rendered":"

This post is about two security vulnerabilities reported on log4j 2.x framework:\u00a0CVE-2021-44228<\/a>, with a base score 10 (of 10 max.) in CVSS version 3.1 risk, and\u00a0CVE-2021-45046<\/a>, base scored 9. I will list some ways to determine affection, how to mitigate these vulnerabilities in general and Oracle Unified Directory in particular. Finally, there is a link with updated status to every Oracle software and why to migrate log4j 1.x to x >= 2.16.x.
\n<\/p>\n

Determine affection<\/h2>\n
    \n
  1. Use a vulnerability scanner<\/strong>
    \nIt’s best to scan hosts company wide on a regular basis. I do not have experience here, use     wikipedia<\/a> as a (neutral) starting point. There is a useful list of scanners provided by OWASP (Open Web Application Security Project)<\/a>.
    \nTo date,     almost 166k CVE have been reported<\/a>. The next vulnerability in software your are using will be reported sooner or later. It’s recommended to use a capable vulnerability scanner to landscape affection.<\/li>\n
  2. Use log4j2-scan<\/strong>
    \n“log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0) and CVE-2021-4104 (log4j 1.x) vulnerabilities.”    Download precompiled jar files or build your own<\/a>
    \nHow it works<\/strong>
    \nIt runs in 5 steps:<\/p>\n
      \n
    1. \n
        \n
      1. Find all .jar, .war, .ear, .aar files recursively.<\/li>\n
      2. Find META-INF\/maven\/org.apache.logging.log4j\/log4j-core\/pom.properties entry from JAR file.<\/li>\n
      3. Read groupId, artifactId, and version.<\/li>\n
      4. Compare log4j2 version and print vulnerable version.<\/li>\n
      5. If –fix option is used, backup vulnerable file and patch it.
        \nFor example, original vulnerable.jar is copied to vulnerable.jar.bak<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

        Example:\u00a0Analysing applications folder on macOS<\/strong><\/p>\n

        % java -jar logpresso-log4j2-scan-2.2.2.jar \/Applications\nLogpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)\nScanning directory: \/Applications\n[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in \/Applications\/cnlabSpeedTest.app\/Contents\/Java\/log4j-core-2.8.1.jar, log4j 2.8.1\n[*] Found CVE-2021-45046 (log4j 2.x) vulnerability in \/Applications\/SQLDeveloper.app\/Contents\/Resources\/sqldeveloper\/sqldeveloper\/lib\/log4j-core.jar, log4j 2.15.0\nRunning scan (10s): scanned 14161 directories, 135423 files, last visit: \/Applications\/Microsoft Excel.app\/Contents\/Frameworks\/mso99.framework\/Versions\/A\/Resources\/mso_intl.bundle\/Contents\/Resources\/id.lproj\nRunning scan (20s): scanned 25840 directories, 263162 files, last visit: \/Applications\/Microsoft PowerPoint.app\/Contents\/Frameworks\/mso99.framework\/Versions\/A\/Resources\/mso_intl.bundle\/Contents\/Resources\/el.lproj\n\nScanned 26789 directories and 276904 files\nFound 2 vulnerable files\nFound 0 potentially vulnerable files\nFound 0 mitigated files\nCompleted in 20.85 seconds<\/pre>\n<\/li>\n
      6. Find log4j jar files
        \n<\/strong>This is a fast, but not reliable method as log4j could simply be in a renamed jar file or nested. A jar file is a zip archive.<\/li>\n<\/ol>\n
          \n
        1. \n
            \n
          1. As root\/administrator, search for log4j jar files.
            \nLinux, Solaris, AIX, Mac OS, …:
            \nfind \/ -name *log4j*<\/code>
            \nWindows:
            \ndir \/s \/b <folder><pattern><\/code><\/li>\n
          2. Check version used. If below 2.16, you are affected:
            \nzip -p <jarfile> META-INF\/MANIFEST.MF<\/code><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n
            How to mitigate?<\/h2>\n
            Disable log4j JNDI lookups using the following parameter when startup a java application:
            \n-Dlog4j2.formatMsgNoLookups=true<\/code>
            \nUsually, look for a java.properties file to add above parameter. Here is an example to start a jar file with parameter:
            \n<JAVA JRE HOME>\/bin\/java -jar <jar-file> -Dlog4j2.formatMsgNoLookups=true <additional parameter><\/code><\/p>\n
            What is properties file?<\/strong>
            \nMost Java application need to use properties at some point, generally to store simple parameters as key-value pairs, outside of compiled code.\u00a0And so the language has first class support for properties \u2013 the java.util.Properties<\/em> \u2013 a utility class designed for handling this type of configuration files. Key-value pairs can be loaded from properties files. Popular file endings are .properties or .xml.\u00a0As long as a file’s content meet properties file format requirements, it can be parsed correctly by Properties<\/em><\/a> class.<\/p>\n
            Example: Oracle Unified Directory<\/h3>\n
            It seems Oracle is still analysing the situation. I could not do mitigation according to official vendor information Doc ID 2827793.1, that is by deleting JndiLookup.class file which was not present. Personally, I think deleting files is suboptimal as it could lead to errors in logfiles when accessing them and errors may lead to false-positives incidents in monitoring.<\/p>\n
            As an alternative, I modified Java startup parameter to mitigate:<\/p>\n
              \n
            1. Edit the file:
              \n<OUD instance home>\/config\/java.properties<\/code><\/li>\n
            2. Add additional parameter:
              \nstart-ds.java-args=-Dlog4j2.formatMsgNoLookups=true<\/code><\/li>\n
            3. Activate changed properties:
              \n<OUD instance home>\/bin\/dsjavaproperties<\/code><\/li>\n
            4. Restart OUD
              \n<OUD instance home>\/bin\/stop-ds --restart<\/code><\/li>\n
            5. Check if OUD started using parameter
              \nps -ef | grep Dlog4j2.formatMsgNoLookups<\/code><\/li>\n<\/ol>\n
              I’m looking forward for an official patch, which I will apply on test environment first.<\/p>\n
              log4shell & Oracle software<\/h2>\n
              Please check this webpage<\/a> on a regular basis.<\/p>\n
              Log4j 1.x<\/h2>\n
              Log4j 1.x is not affected by above CVEs, but others. And it’s end of live, consider migrating to a version greater\/equal 2.16.x<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
              This post is about two security vulnerabilities reported on log4j 2.x framework:\u00a0CVE-2021-44228, with a base score 10 (of 10 max.) in CVSS version 3.1 risk, and\u00a0CVE-2021-45046, base scored 9. I will list some ways to determine affection, how to mitigate these vulnerabilities in general and Oracle Unified Directory in particular. Finally, there is a link […]<\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229],"tags":[2448,2449,214,110,95,2450],"type_dbi":[],"class_list":["post-17003","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","tag-cve-2021-44228","tag-cve-2021-45046","tag-java","tag-log4j","tag-log4shell","tag-vulnerability"],"acf":[],"yoast_head":"\nlog4shell: Determine affection, mitigate, example: Oracle Unified Directory - dbi Blog<\/title>\n<meta name=\"description\" content=\"This post is about two security vulnerabilities reported on log4j 2.x framework: CVE-2021-44228, scored 10 of 10 points in CVSS VERSION 3.1 RISK, and\u00a0CVE-2021-45046, scored 3.7 points.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"log4shell: Determine affection, mitigate, example: Oracle Unified Directory\" \/>\n<meta property=\"og:description\" content=\"This post is about two security vulnerabilities reported on log4j 2.x framework: CVE-2021-44228, scored 10 of 10 points in CVSS VERSION 3.1 RISK, and\u00a0CVE-2021-45046, scored 3.7 points.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-17T10:04:21+00:00\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"log4shell: Determine affection, mitigate, example: Oracle Unified Directory\",\"datePublished\":\"2021-12-17T10:04:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/\"},\"wordCount\":614,\"commentCount\":0,\"keywords\":[\"CVE-2021-44228\",\"CVE-2021-45046\",\"Java\",\"log4j\",\"log4shell\",\"vulnerability\"],\"articleSection\":[\"Database Administration & Monitoring\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/\",\"name\":\"log4shell: Determine affection, mitigate, example: Oracle Unified Directory - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2021-12-17T10:04:21+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"description\":\"This post is about two security vulnerabilities reported on log4j 2.x framework: CVE-2021-44228, scored 10 of 10 points in CVSS VERSION 3.1 RISK, and\u00a0CVE-2021-45046, scored 3.7 points.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"log4shell: Determine affection, mitigate, example: Oracle Unified Directory\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"log4shell: Determine affection, mitigate, example: Oracle Unified Directory - dbi Blog","description":"This post is about two security vulnerabilities reported on log4j 2.x framework: CVE-2021-44228, scored 10 of 10 points in CVSS VERSION 3.1 RISK, and\u00a0CVE-2021-45046, scored 3.7 points.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/","og_locale":"en_US","og_type":"article","og_title":"log4shell: Determine affection, mitigate, example: Oracle Unified Directory","og_description":"This post is about two security vulnerabilities reported on log4j 2.x framework: CVE-2021-44228, scored 10 of 10 points in CVSS VERSION 3.1 RISK, and\u00a0CVE-2021-45046, scored 3.7 points.","og_url":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/","og_site_name":"dbi Blog","article_published_time":"2021-12-17T10:04:21+00:00","author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"log4shell: Determine affection, mitigate, example: Oracle Unified Directory","datePublished":"2021-12-17T10:04:21+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/"},"wordCount":614,"commentCount":0,"keywords":["CVE-2021-44228","CVE-2021-45046","Java","log4j","log4shell","vulnerability"],"articleSection":["Database Administration & Monitoring"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/","url":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/","name":"log4shell: Determine affection, mitigate, example: Oracle Unified Directory - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2021-12-17T10:04:21+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"description":"This post is about two security vulnerabilities reported on log4j 2.x framework: CVE-2021-44228, scored 10 of 10 points in CVSS VERSION 3.1 RISK, and\u00a0CVE-2021-45046, scored 3.7 points.","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/log4shell-how-to-analyse-and-mitigate\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"log4shell: Determine affection, mitigate, example: Oracle Unified Directory"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=17003"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17003\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=17003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=17003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=17003"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=17003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}