Remote Code Execution in Log4j [CVE-2021-44228]

Update January 10, 09:12 AEST: Yellowfin is aware of existing CVE's against log4j 2.16(CVE-2021-45105 & CVE-2021-44832). Yellowfin's default logging configuration is not vulnerable to either without modification to the log4j2.xml file. The log4j library will be upgraded in a future release, TBD.

Update December 21, 12:00 AEST: Patched versions 8.0.10.4, 9.4.2.1, 9.5.1.1 and 9.6.2.1 have now been added to the Docker page. Text in the post below has been updated to reflect this.

Update December 20, 19:40 AEST: Yellowfin is aware of the newly discovered vulnerability in log4j, per CVE-2021-45105. Initial review of this vulnerability indicates that Yellowfin log4j2 configurations do not include the vulnerable lookup type. Testing is ongoing to determine whether this can be exploited against Yellowfin in spite of this consideration.

This vulnerability has been graded lower than previously reported vulnerabilities below and at present there are no plans to publish an emergency patch. We will continue to monitor the situation, and this vulnerability will be considered for a future patch release. 

Update December 17, 15:56 AEST: Patches for versions 9.6, 9.5, and 9.4 are now available. Please see section ‘Remediation Option 1’ below for links. We are currently working on patched releases for older impacted versions of 8, which will also be added here.

Update December 15, 20:21 AEST: Patches for Yellowfin versions 9.7 and 8.0.10 to mitigate exposure are now available. These patches use the updated log4j2.16 library. Please see the post below for updated links and remediation advice. We highly recommend that you use the patches, but if this is not possible,use one of the other (new) remediation options.

We are currently working on patched releases for earlier versions, which will be added below once available. Further updates to follow.

Update December 15, 14:34 AEST: Additional information has come to light showing that log4j2.15 is also exploitable. We are currently in the process of patching the latest YF releases with the updated log4j2.16 library. Further updates to follow.

Update December 14, 16:45 AEST: Ongoing testing has revealed scenarios in which Yellowfin software is vulnerable to the log4j vulnerability. The remediation steps below should be implemented as soon as possible.

Log4j 2.x in versions earlier than 2.16.0 are affected by a critical vulnerability that can lead to remote code execution (RCE) in some circumstances. This does not affect Yellowfin software in releases prior to December 2020, but does affect more recent releases. Affected Releases;

9 series : 9.4.0 or later

8 series : 8.0.8 or later

v7 and v6 releases are not affected unless you have manually upgraded to Log4j2.

The following information is provided to all our customers regardless of their setup. Due to the severity of this vulnerability, we highly recommend you apply the patched version of Yellowfin, or one of the other two remediation options, to fully protect your systems

Vulnerability details

From the official CVE:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP Servers when message lookup substitution is enabled.

Yellowfin versions 8.0.8 to 8.0.10.1, and Yellowfin 9.4 to 9.7 ship with log4j 2.13.3, which is affected. 

Remediation option 1: install the patch

We have released patches for Yellowfin 8 and 9 that use an unaffected version of log4j (log4j2 2.16.0).

Version 9.7.0.3 

Version 9.6.2.1 

Version 9.4.2.1 

Version 9.5.1.1 

Version 8.0.10.4 

Please visit our Yellowfin Releases page to download the version that is relevant for you. It is recommended to go to the closest minor version to your current install to minimise any possible disruption (9.7.x, 9.6.x, 9.4.x etc.)

Yellowfin Docker: Images updated to 9.7.0.3, 8.0.10.4, 9.4.2.1, 9.5.1.1 and 9.6.2.1: https://hub.docker.com/r/yellowfinbi/yellowfin-app-only

Remediation option 2: upgrade log4j in an existing Yellowfin instance

It is possible to upgrade log4j in Yellowfin independently of a patch. Download log4j 2.17.0 binary distribution from the log4j website. This remediation option will work on all versions of Yellowfin that are affected by the vulnerability.

From the distribution zip file, extract the following files and copy them into the Yellowfin/appserver/webapps/ROOT/WEB-INF/lib folder:

log4j-1.2-api-2.17.0.jar

log4j-api-2.17.0.jar

log4j-core-2.17.0.jar

log4j-web-2.17.0.jar

You will also need to remove the existing log4j libraries in the folder. These files will have the same names, but with a different version number. Either version 2.13.3 or 2.15.0. If you do not remove the existing files, the system may not start, or could still be vulnerable to the exploit.

After replacing the log4j libraries, restart Yellowfin.

Upgrading Yellowfin’s log4j libraries independently of a Yellowfin patch may break future upgrades. When performing an upgrade, it may be necessary to revert to the old libraries prior to the upgrade. (The upgrade would then deliver a new version of log4j as part of the upgrade process).

Remediation Option 3 - Remove the JNDI handler class from log4j.

It is possible to remove the internal code that causes the vulnerability from the vulnerable version of log4j. This internal code is present in JndiLookup.class in the log4j-core-2.13.3.jar file.

Run this command from the classpath to remove the code from the library: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Once the class is removed from the library, restart Yellowfin for the changes to take effect.

We recommend you perform one of the remediation options immediately for protection against this vulnerability.