Zero-Day Exploit in log4j | log4shell

dleinich
Crownpeak Employee
Crownpeak Employee
13 11 4,910

e-Spirit is aware of the recently disclosed security vulnerability in the popular Apache open-source library log4j. See CVE-2021-44228 for details on this vulnerability. We are actively monitoring and managing the issue and have a team working on identifying potential risks in our software components and services.

Doing this we are also looking into follow-up vulnerabilities, for example CVE-2021-45046 which was published on 2021-12-14. Right now we have no indication that we are affected by this except mentioned otherwise in the chapters below.

This article will be updated regularly to provide information about how the vulnerability affects FirstSpirit and its ecosystem as well as details on how we handle the issue and what you can do to secure your systems. Be aware that this vulnerability affects many Java applications as it's an issue in a library widely used. The information contained in this article is thus not showing the whole picture but is strongly focused on FirstSpirit.

Updates to this article are summarized in the changelog at the end of this article. If you have additional questions or need additional information, please contact the Technical Support team.

Table of Contents

Software-as-a-Service (SaaS)

This section covers the use of e-Spirit products and services in a sofware-as-a-service (SaaS) environment, meaning you are a SaaS customer having e-Spirit operate your FirstSpirit ecosystem.

Our services are running behind a web application firewall (WAF). To mitigate the risks arising from this vulnerability, we added rules on 2021-12-13 to improve detection of attacks. The WAF inspects uri, request body, and commonly used headers and reacts on known attack vectors identified to add an additional layer of defence.

As a precautionary measure we restarted all customer instances in the night from 2021-12-14 to 2021-12-15 to put an additional layer of security and new configuration in place.

FirstSpirit

We are continuing to actively investigate potential risks and will update as we know more. Right now we focus on three areas we identified as being the most probable to break:

1. Logging ✓

The logging infrastructure in place for our SaaS offering was initially vulnerable to the attack. We have been able to patch all systems and components in the late evening of 2021-12-13 and now consider the logging infrastructure fixed and safe.

2. Modules, Product Extensions and Project Solutions

We haven't been able to find project specific implementations using vulnerable versions of log4j besides Webforms (see below) yet. We are still investigating further, though, and update here as we learn more, please see the chapters below for details.

3. Webserver

We have analyzed the existing configuration and have taken measures to protect against the attack. Right now we are confident that we are not vulnerable to attacks described in the CVE but continue our investigation and update here as we learn more, please see the chapters below for details.

✓ CaaS

Content-as-a-Service (CaaS) as well as the Navigation Service are not affected by the vulnerability. Beyond the service this also applies to their FirstSpirit modules (v2, CaaS Connect, Navigation Service Module). log4j is not used as a logging implementation in these cases and there is no known dependency using it either.

✓ SmartSearch

The SmartSearch Core is not affected by the vulnerability, required infrastructure components like SolR and Zookeeper have initially been affected, though. Working with our partners and vendors providing these components we have been able to fix the vulnerabilities as of the early morning of 2021-12-14.

✓ FirstSpirit ICE

FirstSpirit ICE is not affected by this vulnerability as it is not using log4j in customer facing services.

Modules / Product Extensions

We are actively working on identifying potential risks for FirstSpirit Modules in collaboration with our partners.

✓ TranslationStudio

Translation Studio is using Java Standard Logging and is thus not affected by this vulnerability. Dependencies in use are also not using log4j according to a first analysis. If you're interested in further details, please check the dedicated info page by ID Media.

✓ Webforms

Webforms is currently affected by the vulnerability and we are working on both a quick fix for mitigation that should be available soon as well as a long-term fix together with Monday Consulting. We have already been able to mitigate the vulnerability for the FirstSpirit component and the preview application on 2021-12-15.

As of noon on Friday 2021-12-17, the last customers have also been moved to an updated and patched version of the live component, so all customers have now been patched.
If you are using Webforms and your system has been patched you will have received a notification by our Customer Success Management team about it.

If you have questions about the current status, feel free to reach out to our Technical Support team.

✓ EmailMarketing / Universal Messenger

Universal Messenger by pinuts is using a log4j version not affected by this vulnerability, neither is the FirstSpirit module used to integrate it.

✓ E-Commerce Integrations

The e-commerce integrations for SAP, SAP Spartacus, Salesforce Commerce Cloud and Spryker are not affected by this vulnerability as they use standard logging mechanisms. If you have modified parts of the codebase active in the commerce platform or the storefront you have to check these changes yourself. We can also not speak for the commerce platform itself, please reach out to your commerce platform provider for further information.

Project Solutions

We implemented a scanner that automatically checks installed modules and components in our SaaS environment for this vulnerability. The scanner did not return any custom project implementations using vulnerable versions of log4j besides Webforms (see above) so there are no further measures for you to take right now.

On-Premises

This section covers the use of FirstSprit on-premises, meaning that you or a service partner provides operates FirstSpirit and the surrounding ecosystem yourself.

FirstSpirit Core

The standard configuration of FirstSpirit is not affected by this vulnerability as the log4j version used is not an affected version. As FirstSpirit is a system meant to be extended and integrated, you have to make sure that your individual setup is safe as well, though. Please especially consider the following areas:

  1. Logging configuration: If you have changed the standard logging configuration of FirstSpirit, make sure to review it and check for the vulnerability.
  2. Modules, Product Extensions and Project Solutions: We are investigating product extensions but you have to make sure that your custom and project specific modules and components are safe. Please see the chapters below for details.
  3. Webserver: The Jetty from the standard delivery is safe but as you are most likely using a different web or application server (as recommended), you have to make sure the software and version in use are not vulnerable yourself.

FirstSpirit Modules (product extensions)

We are actively working on identifying potential risks for FirstSpirit Modules in collaboration with our partners.

SmartSearch

The SmartSearch / Haupia core is not affected by this vulnerability, required infrastructure components like SolR and Zookeeper are, though. As operations for these components is handled by you or your partners the exact versions have to be checked by yourself. Please talk to your operations team to find out if the versions in use are vulnerable.

FormEdit

We have identified FormEdit to be vulnerable on 2021-12-13 and are working on a fix. We expect to provide a fixed version by Wednesday. An updated version of FormEdit has been released in the late evening of 2021-12-13 and is available for download through our Technical Support team.

CVE-2021-45046: Another update was released on 2021-12-15 with log4j v2.16.0 to address CVE-2021-45046. Please update your environment if you are using FormEdit.

Webforms

Webforms was affected by the vulnerability. In the late evening of 2021-12-13 Monday Consulting released patched versions (6.3.5.FS5, 6.2.9.FS5, 6.1.8.FS5, and 6.0.2.FS5) to address the issue. Please update your environment if you are using Webforms.

CVE-2021-45046: Monday Consulting released patched versions (6.3.6, 6.2.10, 6.1.9, and 6.0.3) on 2021-12-15 including log4j 2.16.0 to address this CVE.

EmailMarketing / Universal Messenger

Universal Messenger by pinuts is using a log4j version not affected by this vulnerability, neither is the FirstSpirit module used to integrate it.

E-Commerce Integrations

The e-commerce integrations for SAP, SAP Spartacus, Salesforce Commerce Cloud and Spryker are not affected by this vulnerability as they use standard logging mechanisms. If you have modified parts of the codebase active in the commerce platform or the storefront you have to check these changes yourself. We can also not speak for the commerce platform itself, please reach out to your commerce platform provider for further information.

SAP Business Package

The SAP Business Package is not using an affected version of log4j and is thus not vulnerable. The standard configuration is not using JMSAppender so it is not affected in regards to CVE-2021-4104 either. Please see chapter log4j v1.x below and make sure to check the configuration for changes you may have made.

FirstSpirit Modules (project solutions)

Using the FirstSpirit API you and/or your implementation partners are able to develop FirstSpirit modules on your own, so called project solutions. As e-Spirit is not aware of the implementation details of specific on-premises project solutions we can not provide a risk estimation.

When checking for this vulnerability, be aware that log4j-core is affected, specifically the class org.apache.logging.log4j.core.lookup.JndiLookup. This class ist not part of log4j-api or log4j-to-slf4j, finding these two libraries does not hint to being vulnerable.

The following script can help you find the affected class by trying to load it using all module ClassLoaders. To use it, add it as a schedule entry with a script action and run it from the ServerManager. Make sure that your server has the appropriate logging level set (INFO or DEBUG), or you won't see any output from the script in the logs. The script logs every successful attempt as FAILED.

mm = connection.getManagerProvider().getManager("ModuleManager");

names = mm.getModuleNames();

checked = 0;

failed = 0;

for (n : names) {

  checked ++;

  try {

    mm.getClassLoader(n).loadClass("org.apache.logging.log4j.core.lookup.JndiLookup");

    context.logError(n + ": FAILED");

    failed ++;

  } catch (Throwable t) {

    context.logDebug(n + ": OK");

  }

}

context.logInfo("Checked modules: " + checked + ", failed: " + failed);

Please note:

  • If the class exists in the global classpath, the script will alert you for every module.
  • The script only checks if the library exists and does not do a version check, it cannot say if the version used is affected by the zero-day.
  • If the script returns that everything is fine, the affected class can still be found in a web-ressource, it doesn't guarantee 100% safety.

Check your project solutions regarding this vulnerability and take respective measures. Do talk to your implementation partners to have them check the modules they have developed for you. Please also consider delivery infrastructure like Apache Tomcat and similar as they may be affected by the vulnerability as well.

log4j v1.x

There is an associated CVE regarding log4j 1.x: CVE-2021-4104. Below please find our risk assessment regarding this CVE for both SaaS as well as on-premises.

Software-as-a-Service (SaaS)

It is not possible to exploit this vulnerability by simply logging. Exploiting this vulnerability requires to actively change the logging configuration. This can only be done by FirstSpirit users with administrative permissions. We don’t allow these permissions outside of our operations team and make sure to restore safe configurations regularly. The FirstSpirit SaaS offering is thus not affected by this vulnerability.

On-Premises

The standard configuration of FirstSpirit is not affected by this vulnerability as the configuration parameters required to make it exploitable are not set. As FirstSpirit is a system meant to be extended, your users with administrative permissions are able to change these configuration parameters. Please make sure that your individual setup is safe in this regard. Details on what to look for can be found in CVE-2021-4104 (JMSAppender).

Further Information

We will update this article as we learn more. Please also keep an eye on the community in general, especially the customer space of the community to immediately learn about product extension releases fixing known vulnerabilities.

To learn more about the vulnerability in general and how to address it in you environment we recommend the following articles:

If you have any questions regarding this matter, please contact our Technical Support team who will provide answers and help keeping your FirstSpirit system secure to our best knowledge.

Updates / Changelog

2021-12-19 14:19: Updated status for Webforms in SaaS. All customers on patched versions.

2021-12-16 10:44: Updated status for Webforms in SaaS.

2021-12-16 10:19: Added threat assessment for SAP Business Package.

2021-12-15 20:02: New versions of Webforms with log4j v2.16.0 are now available for on-premises.

2021-12-15 17:01: Updated status for web & application servers in SaaS.

2021-12-15 14:17: Updated status for Webforms in SaaS.

2021-12-15 13:50: Added information specific to CVE-2021-45046.

2021-12-15 13:26: We released another version of FormEdit with log4j v2.16.0.

2021-12-15 11:47: Added information about log4j v1.x vulnerability (CVE-2021-4104).

2021-12-15 09:19: The restart announced yesterday took place.

2021-12-15 09:15: Added ICE as being not not affected.

2021-12-14 14:22: Added restart announcement.

2021-12-14 14:18: Added results of checking project specific solutions.

2021-12-14 12:59: Added information about e-commerce integrations.

2021-12-14 10:29: Updated status for the project solution scanner.

2021-12-14 09:59: Logging infrastructure for SaaS is now fixed.

2021-12-14 09:52: SmartSearch as SaaS is now considered safe.

2021-12-14 09:43: Clarified usage for script to find the vulnerable class. Thank you, brandelc​!

2021-12-14 09:35: A fixed version of Webforms for on-premises is available.

2021-12-14 09:25: A fixed version of FormEdit is available.

2021-12-14 09:20: EmailMarketing / Universal Messenger is not affected.

11 Comments
choff
Occasional Observer

In what context is the script meant to be run? I tried to run it as a beanshell script inside the SiteArchitect. This lead to an error because connection is unknown. What kind of connection is connection meant to be and where can I get if from?

Thanks in advance for your support.

brandelc
Occasional Observer

For me it worked adding it as a schedule entry with a script action in the Server Properties and running it from the ServerManager.

You need to make sure that your server has the appropriate logging level set (INFO or DEBUG), or you won't see any output from the script in the logs.

dleinich
Crownpeak Employee
Crownpeak Employee

Yes, it's meant to be run as a schedule entry. Thanks for pointing that out. Will clarify that soon.

bianca_batsch
New Responder

Hello Christian,

that was helpful :smileygrin: - how / where do I check​ / edit the log-level of the server?

Best regards

Bianca

brandelc
Occasional Observer
rodrigo_lopes
I'm new here

Hello,

I am using version 2010-01. Does this article also cover that version?

Cheers

bianca_batsch
New Responder

I would bet, that Version 2010-01 is covered by nothing.... Smiley Sad

gockel
Crownpeak employee
Crownpeak employee

Hi Rodrigo,

not sure which version you meant here.

We started the release name version scheme in 2018. Therefore, as far as I know, back in year 2010 there was never a version 2010-01.

Which version exactly do you mean?
Please provide more specific version information collected from the about page of your server. (http://<YOUR-SERVER>/about.jsp)

linde
Elite Observer

Some customer ask for the vulnerability of the SiteArchitect. Are the statements for FirstSpirit also valid for the SiteArchitect?

dleinich
Crownpeak Employee
Crownpeak Employee

Yes, for both SiteArchitect and ServerManager.

RZoller
Returning Observer

Hallo zusammen,

Monday Webform wurde gerade aktualisiert und kann verwendet werden. Die Aktualisierung umfasst das Update der log4j-Version auf log4j v2.16.0. Die Webforms-Versionen sind im Einzelnen:

  • Webforms 6.3.6.FS5
  • Webforms 6.2.10.FS5
  • Webforms 6.1.9.FS5
  • Webforms 6.0.3.FS5

René