1. 主页
  2. 支持
Article - CS359319

Apache Log4J 1.x Security Vulnerabilities (CVE-2021-4104 & CVE-2019-17571) – Impact on Servigistics Products

Modified: 20-Dec-2021   


Applies To

  • Servigistics Service Parts Management 9.3 to 12.2.0.1
  • Servigistics Click Parts Planning 5.10 to 7.7.2.1
  • Servigistics Service Parts Pricing 9.3 to 12.2.0.1
  • Servigistics Intellicus 7.3 to 19.1
  • Servigistics MCA Parts Planning 7.0 to 8.0.0.11
  • Servigistics Click Extend 4.1
  • Servigistics Service Network Management 10.7.1.1 to 11.2

Description

Multiple CVEs have been reported against Apache Log4j 1.x.  As it is known to be out of support, analysis and justification is provided to confirm known impacts to Servigistics Products.

The product releases specified above in the 'Applies To' area all include the log4j1.x versions

CVE-2021-4104:
In Log4j 1.x the JMSAppender will perform a JNDI lookup if enabled in log4j’s configuration file.  Applications using Log4j 1.x may be impacted if their configuration uses JNDI (JMSAppender).

Base CVSS Score: 8.1     CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Red Hat identified RHSB-2021-009 (CVE-2021-4104)
https://access.redhat.com/security/cve/CVE-2021-4104

Redhat Bugzilla Article includes additional details:
A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender.

Note this issue only affects Log4j 1.x when specifically configured to use JMSAppender, which is not the default for any Servigistics Products. 

The known mitigation options to address a potential exploit are:
  • Comment out or remove JMSAppender in the Log4j configuration if it is used
  • Remove the JMSAppender class from the classpath
  • Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.
Note: It has been confirmed that Log4j 1.x does not suffer from CVE-2021-44228 reported against Log4j 2.x.  Refer to article 
Apache Log4j 2.x Security Vulnerabilities (CVE-2021-44228 & CVE-2021-45046 & CVE-2021-45105) - Impact on Servigistics Products

CVE-2019-17571:
  • The vulnerable version of log4j 1.x mentioned in CVE-2019-17571 vulnerability description is used by Servigistics Products.
  • The usage of SocketServer/SimpleSocketServer vulnerable classes comes into picture as a capability of Log4J’s SocketAppender that sends LoggingEvent objects to a remote a log server, usually a SocketNode. The SocketNode reads LoggingEvent objects sent from a remote client using Sockets (TCP). These logging events are logged according to local policy, as if they were generated locally. The SocketAppenders ships a serialized LoggingEvent object without any layout to the server side. On the remote host by deserializing you'll have access to all the same information and should be able to specify the layout that the logs are printed in.
  • The log4j capability to access remote logs thru its SocketServer class (where the vulnerability exist) is not enabled in Servigistics Products OOTB and there is no such call from the  Servigistics codebase.  Furthermore, there is no Servigistics documentation that mentions enable/run the capability.
This is a printer-friendly version of Article 359319 and may be out of date. For the latest version click CS359319