Author |
Message |
BrekekeUserGermany Brekeke Member
Joined: 12 Apr 2018 Posts: 12
|
Posted: Sun Dec 12, 2021 7:45 am Post subject: log4j security issue - CVE-2021-44228 |
|
|
1. Brekeke Product Name and Version:
Code: |
Brekeke PBX, Version 3.8.3.4, Pro |
2. Java version:
Code: |
OpenJDK 8u312-b07-1~deb9u1 |
3. OS type and the version:
4. UA (phone), gateway or other hardware/software involved:
5. Your problem:
Hi all,
as you probably heared through the news there as new security regarding log4j (https://nvd.nist.gov/vuln/detail/CVE-2021-44228).
I've found the following files in the PBX directory:
Code: |
/webapps/pbx/WEB-INF/lib$
-rw-r--r-- 1 tomcat tomcat 127 Feb 2 2018 log4j-core.jar
-rw-r--r-- 1 tomcat tomcat 106494 Feb 2 2018 log4j.jar |
Do you guys know, if log4j is active used by Brekeke?
How I can find out, which log4j version is used since extracting the log4j.jar file and having a look at the MANIFEST.MF located in the META-INF directory doesn't has much information in it...
And do you know if there's any fix already provided for this? At the moment the Brekeke news feed is empty regarding this.
Looking forward to hear from you.
Best regards
|
|
Back to top |
|
Brett Brekeke Addict
Joined: 23 Dec 2014 Posts: 47
Location: CA
|
Posted: Mon Dec 13, 2021 11:52 am Post subject: |
|
|
Hi,
Because it looks brekeke PBX doesn't use the log4j 2.x that has the security issue, but uses log4j 1.x, I think brekeke PBX doesn't has this vulnerability.
Thanks,
Brett _________________ Brett |
|
Back to top |
|
BrekekeUserGermany Brekeke Member
Joined: 12 Apr 2018 Posts: 12
|
Posted: Tue Dec 14, 2021 2:01 am Post subject: |
|
|
Hi Brett,
many thanks for the feedback !
Do you know, where I can find this information, which log4j version is used?
In the documentation or somewhere else?
I've already had a look at some of the Brekeke documentations but haven't found a hint to that.
Best regards |
|
Back to top |
|
Brett Brekeke Addict
Joined: 23 Dec 2014 Posts: 47
Location: CA
|
Posted: Tue Dec 14, 2021 3:09 pm Post subject: |
|
|
Hi,
I asked brekeke tech support, just in case.
Here is the answer I got.
---------------
>Log4j packages we are using in our product are not affected by the vulnerability called CVE-2021-44228.
>
>There are two Log4j packages in the product.
>
>
>- Log4j bundled in the GUI part (Tomcat).
>
> It is not affected because it is the customized Log4j (not default).
>
> https://bishopfox.com/blog/log4j-zero-day-cve-2021-44228
>
>
> - Log4j bundled in Brekeke SIP Server core.
>
> It is not affected because it is Log4j version 1 not version 2.
Best regards, _________________ Brett |
|
Back to top |
|
BrekekeUserGermany Brekeke Member
Joined: 12 Apr 2018 Posts: 12
|
Posted: Wed Dec 15, 2021 8:16 am Post subject: |
|
|
Hi Brett,
thanks again for the feedback.
In the meantime some guys found out, that version 1 seems to be affected as well, so I guess Brekeke PBX / SIP is affected, too?
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
Do you know if there's a possibility to let the technical support have a look at this forum/post to update us?
I'm sure everyone using PBX or SIP is curious about what are the next steps from Brekeke.
Best regards |
|
Back to top |
|
Brett Brekeke Addict
Joined: 23 Dec 2014 Posts: 47
Location: CA
|
Posted: Wed Dec 15, 2021 12:48 pm Post subject: |
|
|
Hi,
Regarding log4j v1, JMSAppender is not enabled as deafult.
Generally speaking, to turn it on, the following parameters are needed on log4j. properties.
log4j.appender.jms=org.apache.log4j.net.JMSAppender
log4j.appender.jms.InitialContextFactoryName=
log4j.appender.jms.ProviderURL=
Best regards, _________________ Brett |
|
Back to top |
|
BrekekeUserGermany Brekeke Member
Joined: 12 Apr 2018 Posts: 12
|
Posted: Thu Dec 16, 2021 5:55 am Post subject: |
|
|
Hi Brett,
thanks again for the feedback.
I just had a look at the log4j.properties which hasn't changed since the installation of PBX.
Quote: |
Generally speaking, to turn it on, the following parameters are needed on log4j. properties.
log4j.appender.jms=org.apache.log4j.net.JMSAppender
log4j.appender.jms.InitialContextFactoryName=
log4j.appender.jms.ProviderURL= |
Nothing is set per default, as you set, so it should be save
Thanks and best regards |
|
Back to top |
|
|