Go to All Forums

Site24x7 and the recent Apache Log4j vulnerability

On December 09, 2021, a severe vulnerability (CVE- 2021-4422) was disclosed in the popular Java logging library Log4j 2 versions- 2.0 to 2.14.1, that results in remote code execution (RCE) by logging a certain string. You can find the details of this vulnerability here: https://logging.apache.org/log4j/2.x/security.html 

Though there were a few attempts, we didn't find any traces or evidence of a successful exploitation. As we also possess some third-party components that could be potentially vulnerable, we've completely patched the vulnerability as a mitigation measure. And we can vouch for the fact that no sign of an active exploit could be found throughout Site24x7. Also, the different binary or installable software/agents we support aren't prone to this vulnerability.

We'll keep analyzing the issue and will be posting the new updates in this thread. Please feel free to contact support@site24x7.com or security@zohocorp.com for further details or assistance; we're happy to help you.

  

Regards,

Vinoth

Site24x7 Red Team

Like (28) Reply
Replies (23)

Re: Site24x7 and the recent Apache Log4j vulnerability

Thanks, please keep us posted (couldnt up vote the issue as i am based in the EU and portal doesnt support logging in as an EU User)

 

Like (2) Edit Delete Reply

Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Would be nice if there was some info on main Site24x7 page with link to this annoucement.

Like (4) Reply

Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

yes agree on this, this is official cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

If you look on all major players they have this official statement on their main page

Site 24x7 should do this also..

Like (1) Reply

Re: Site24x7 and the recent Apache Log4j vulnerability

Thanks for the update - I note that Log4j and PostgreSQL are components of agents that are end of life. They are carrying vulnerabilities too - are these being patched too?

Like (2) Reply

Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Hi Jonathan,

As commented in Jason's reply, we are safe against the log4shell vulnerabilities. We will also migrate the log4j dependency to the latest version as recommended by Apache.

With respect to your query on PostgreSQL, our product team is already working on this migration and will post an update regarding this soon

Thanks,

Vinoth,

Site24x7 Red Team

Like (0) Reply

Re: Site24x7 and the recent Apache Log4j vulnerability

What about On Prem Pollers:

C:\Program Files (x86)\Site24x7OnPremisePoller\lib\jars log4j-1.2.17.jar
C:\Program Files (x86)\Site24x7OnPremisePoller\NetworkPlus\lib log4j-1.2.8.jar
C:\Program Files (x86)\Site24x7OnPremisePoller\NetworkPlus\lib log4j-boot.jar
Like (7) Reply


Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Hi Jason,
Site24x7 OnPremise Poller is not affected by this vulnerability(CVE- 2021-4422), the log4j 1.x version bundled in Poller doesn't support the the JNDI lookup feature. The log4j1.x version is vulnerable only under certain configurations when JMSAppender is used. Site24x7 OnPremise Poller doesn't use JMSAppender and hence not affected by the log4shell vulnerability

We are aware of the other vulnerability present in the the log4j 1.x,

The vulnerability with Log4j1.x (CVE-2019-17571), is RCE using insecure deserialization in SocketServer. The scenario is, if the application is running a Log4j's SocketServer opens a port and listens for Log Events from the network, then it can be exploited. The SocketServer implementation to deserialize the data coming in from the network to Java Object without verification can trigger RCE.

But Our usage of log4j in On-premise Poller is limited to basic logging functionality, and doesn't use the SocketServer feature. Hence we are safe against this vulnerability also.

However as per the recommendations from Apache, we are also planning to migrate the log4j jars to the latest one. I'll update this thread once the change is released.

 

Thanks,

Site24x7 Red Team

Like (7) Reply

Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Thank you for the detailed information, we appreciate that!.

Like (0) Reply

Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

Site24x7 team...is this covered

Like (3) Edit Delete Reply

Re: Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Hi,

We are aware of the vulnerability CVE 2021-45046, The patch involves the removal of vulnerable JNDILookup.class from all our usage. We can confirm that we are resilient against this vulnerability also.

Thanks & Regards,

Vinoth

Site24x7 Red Team

Like (0) Reply

Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Dear All,

As mentioned earlier in this thread, we have migrated the log4j from 1.2.17 to 2.17.0 in the latest Site24x7 Poller binaries. The release notes can be found here.

https://www.site24x7.com/help/on-premise-poller-release-notes.html#version-5.1.3

 

Thanks,

Vinoth

Site24x7 Red Team

Like (0) Reply

Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Many thanks for this. Do you have an update on when we will see PostgreSQL updated to a version which is not end of life?

Like (0) Edit Delete Reply

Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

We have upgraded our onpremise pollers to the latest version, 5.1.3, and we still see the old log4j file at Site24x7OnPremisePoller\NetworkPlus\lib\log4j-1.2.8.jar. Per the release notes, this file should have been replaced with log4j-2.17.0.

This is also being picked up by our vulnerability scans.

Like (1) Reply

Re: Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Is the networkplus module active?  Same thing happened with us, but our networkplus module is disabled.  I thought that got installed when you activate it.  Just an idea.

Like (0) Reply

Re: Re: Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

I'm not sure, I never did anything to activate NetworkPlus, I'm not even sure what it is. Can I just delete the NetworkPlus folder? Site24x7OnPremisePoller\NetworkPlus\lib\log4j-1.2.8.jar

Upon further investigation, it does look like the new 2.17 file does exist at Site24x7OnPremisePoller\lib\jars\log4j-core-2.17.0.jar. Vuln scan is now saying a 2.17.1 has been released.

 

Like (0) Reply

Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Hi we also updated to version 5.1.3 and after a rescan we are still showing 

/Site24x7OnPremisePoller/NetworkPlus/lib/log4j-1.2.8.jar

/opt/Site24x7OnPremisePoller/NetworkPlus Java 1.8.0_102

 

We do use the Network Modules so we cant just remove the folder. Will there be further updates to fix this?

Like (0) Reply

Re: Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Hi Guest, Josh, Dough, and Shaheen

Thank you for reaching out. Your questions appear to point to the same scenario.

When you install the On-Premise Poller, it automatically downloads the Network Module. The Network Module is used only to monitor the network devices. In this case, as a workaround, we recommend you delete the content inside the NetworkPlus folder. (Site24x7OnPremisePoller/NetworkPlus/).

Please ensure that you are not deleting the parent NetworkPlus folder as the Network Module will be re-downloaded even if it is deleted. Hence, delete only the contents (files and subfolders) inside the NetworkPlus folder.

Regarding the log4j security issue in the Network Module, we have removed the vulnerable classes (JMSAppender.class and SocketServer.class) from log4j-1.2.8.jar and have released the latest build.

For existing Network Module installations, please follow the below steps to apply the security fix:

1. Download the patch from the below link.

https://staticdownloads.site24x7.com/probe/log4j-1.2.8-security-fix.zip

2.Once the patch is downloaded, stop the Site24x7 On-Premise Poller and ensure that all the processes are stopped.

3. Extract the patch file in the Site24x7 On-Premise Poller installed directory (default: Site24x7OnPremisePoller/). You have to replace the existing file(s).

4. Start the On-Premise Poller service with Administrator/root privileges.

 

Regarding PostgresSQL upgrade, we have added the Network Module's PostgreSQL and JRE version upgrade to our roadmap, and I'll update this thread when it's released. Currently, we do not have an exact timeline for the release. 

Regards,

Divyasree

Like (2) Reply


Re: Site24x7 and the recent Apache Log4j vulnerability

Hi Vinoth,

What is the current status on this matter? Do we need to apply any patches ourselves manually or are these being automatically pushed out to pollers and agents? 

Is it possible I could be provided with a version number in which the patch is contained so that I can check our monitoring?

Thanks,

Mason

Like (2) Reply

Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Hi Mason Richards,

The Poller and Site24x7 APM java Agent are using log4j 1.x which is not affected by the vulnerability. So a patch is not required. NO ACTION IS REQUIRED FROM YOUR END.

I'll add a few more details regarding the two vulnerabilities and why our agents are not affected

CVE-2021-4104 - applications using Log4j 1.x may be impacted if their configuration uses JNDI (Site24x7 doesn't use any such configurations or JMSAppender)

CVE-2019-17571 - This vulnerability occurs only if the application uses SocketServer to listen for network traffic log data and deserialize the same. (Site24x7 doesn't use SocketServer).

We use log4j for basic logging functionality.

However, because of the EOL status of the log4j version used in our software, we are planning to upgrade it to the latest recommended log4j version and release it as a new version rather than a patch.

To update you on the current status, we have started the works on updating the log4j version to the latest recommended one, and also we have to do a quality check to ensure all the components are working properly.

I'll update this thread, once the updated version is available.

Thanks & Regards,

Vinoth

Site24x7 Red Team

Like (0) Reply

Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Our vulnerability scans flagged the on-prem poller for 2021-4104 JMSAppender. You stated you all do not use JMSAppender but this config file (C:\Program Files (x86)\Site24x7OnPremisePoller\conf\log4j.properties) appears to show otherwise:

# Log config for GeneralReportCollector

log4j.logger.GeneralReportCollector=DEBUG, generalreportcollectorappender
log4j.additivity.GeneralReportCollector=false
log4j.appender.generalreportcollectorappender=org.apache.log4j.RollingFileAppender
log4j.appender.generalreportcollectorappender.MaxFileSize=5MB
log4j.appender.generalreportcollectorappender.MaxBackupIndex=10
log4j.appender.generalreportcollectorappender.File=logs/generalreportcollector.log
log4j.appender.generalreportcollectorappender.layout=org.apache.log4j.PatternLayout
log4j.appender.generalreportcollectorappender.layout.ConversionPattern=%d{ISO8601}\t%p\t%c\t[%t]\t%m%n


# Log config for ImmediateReportCollector

log4j.logger.ImmediateReportCollector=DEBUG, immediatereportcollectorappender
log4j.additivity.ImmediateReportCollector=false
log4j.appender.immediatereportcollectorappender=org.apache.log4j.RollingFileAppender
log4j.appender.immediatereportcollectorappender.MaxFileSize=5MB
log4j.appender.immediatereportcollectorappender.MaxBackupIndex=10
log4j.appender.immediatereportcollectorappender.File=logs/immediatereportcollector.log
log4j.appender.immediatereportcollectorappender.layout=org.apache.log4j.PatternLayout
log4j.appender.immediatereportcollectorappender.layout.ConversionPattern=%d{ISO8601}\t%p\t%c\t[%t]\t%m%n

# Log config for ReportSender

log4j.logger.ReportSender=DEBUG, reportsenderappender
log4j.additivity.ReportSender=false
log4j.appender.reportsenderappender=org.apache.log4j.RollingFileAppender
log4j.appender.reportsenderappender.MaxFileSize=5MB
log4j.appender.reportsenderappender.MaxBackupIndex=10
log4j.appender.reportsenderappender.File=logs/reportsender.log
log4j.appender.reportsenderappender.layout=org.apache.log4j.PatternLayout
log4j.appender.reportsenderappender.layout.ConversionPattern=%d{ISO8601}\t%p\t%c\t[%t]\t%m%n

# Log config for GeneralReportSender

log4j.logger.GeneralReportSender=DEBUG, generalreportsenderappender
log4j.additivity.GeneralReportSender=false
log4j.appender.generalreportsenderappender=org.apache.log4j.RollingFileAppender
log4j.appender.generalreportsenderappender.MaxFileSize=5MB
log4j.appender.generalreportsenderappender.MaxBackupIndex=10
log4j.appender.generalreportsenderappender.File=logs/generalreportsender.log
log4j.appender.generalreportsenderappender.layout=org.apache.log4j.PatternLayout
log4j.appender.generalreportsenderappender.layout.ConversionPattern=%d{ISO8601}\t%p\t%c\t[%t]\t%m%n

# Log config for ImmediateReportSender

log4j.logger.ImmediateReportSender=DEBUG, immediatereportsenderappender
log4j.additivity.ImmediateReportSender=false
log4j.appender.immediatereportsenderappender=org.apache.log4j.RollingFileAppender
log4j.appender.immediatereportsenderappender.MaxFileSize=5MB
log4j.appender.immediatereportsenderappender.MaxBackupIndex=10
log4j.appender.immediatereportsenderappender.File=logs/immediatereportsender.log
log4j.appender.immediatereportsenderappender.layout=org.apache.log4j.PatternLayout
log4j.appender.immediatereportsenderappender.layout.ConversionPattern=%d{ISO8601}\t%p\t%c\t[%t]\t%m%n

# Log config for FailedReportSender

log4j.logger.FailedReportSender=DEBUG, failedreportsenderappender
log4j.additivity.FailedReportSender=false
log4j.appender.failedreportsenderappender=org.apache.log4j.RollingFileAppender
log4j.appender.failedreportsenderappender.MaxFileSize=5MB
log4j.appender.failedreportsenderappender.MaxBackupIndex=10
log4j.appender.failedreportsenderappender.File=logs/failedreportsender.log
log4j.appender.failedreportsenderappender.layout=org.apache.log4j.PatternLayout
log4j.appender.failedreportsenderappender.layout.ConversionPattern=%d{ISO8601}\t%p\t%c\t[%t]\t%m%n

#Log config for VMwareMasterDataCollector

log4j.logger.VMwareMasterDataCollector=DEBUG, vmwaremasterdatacollectorappender
log4j.additivity.VMwareMasterDataCollector=false
log4j.appender.vmwaremasterdatacollectorappender=org.apache.log4j.RollingFileAppender
log4j.appender.vmwaremasterdatacollectorappender.MaxFileSize=5MB
log4j.appender.vmwaremasterdatacollectorappender.MaxBackupIndex=10
log4j.appender.vmwaremasterdatacollectorappender.File=logs/vmwaremasterdatacollector.log
log4j.appender.vmwaremasterdatacollectorappender.layout=org.apache.log4j.PatternLayout
log4j.appender.vmwaremasterdatacollectorappender.layout.ConversionPattern=%d{ISO8601}\t%p\t%c\t[%t]\t%m%n


# initialize root logger with level INFO for stdout and fout
log4j.rootLogger=INFO,fout
log4j.logger.com.endeca=INFO
log4j.logger.com.endeca.itl.web.metrics=INFO

log4j.appender.fout=org.apache.log4j.RollingFileAppender
log4j.appender.fout.MaxFileSize=5MB
log4j.appender.fout.MaxBackupIndex=10
log4j.appender.fout.File=logs/pollerlog.log
log4j.appender.fout.layout=org.apache.log4j.PatternLayout
log4j.appender.fout.layout.ConversionPattern=%d{ISO8601}\t%p\t%c\t[%t]\t%m%n

Like (0) Reply

Re: Re: Re: Re: Site24x7 and the recent Apache Log4j vulnerability

Hi,

The mentioned vulnerability is tracked under CVE-2021-4104. The vulnerability is affecting the JMSAppender.class but only under certain vulnerable configuration.

If you look at the shared log4j.properties, we use only RollingFileAppender and not the JMSAppender.  This vulnerability affect applications which are configured to use JMSAppender, which is not the default configuration.

So we can assure you the above configuration is safe and doesn't use JMSAppender.

Thanks,

Vinoth

Site24x7 Red Team

 

 

Like (0) Reply

Was this post helpful?