[Solved] Is Unimus vulnerable to CVE-2021-44228?

General discussion of anything Unimus
Post Reply
normalcy
Posts: 15
Joined: Thu Nov 16, 2017 2:19 am

Fri Dec 10, 2021 9:30 pm

Hi, is Unimus affected by CVE-2021-44228?
Quick grep of the unimus jar shows a couple of log4j strings but not sure if you actually use the framework itself?

Code: Select all

# zcat /opt/unimus/Unimus.jar |grep -i log4j
gzip: /opt/unimus/Unimus.jar has more than one entry--rest ignored
Name: BOOT-INF/lib/log4j-to-slf4j-2.14.1.jar
Name: BOOT-INF/lib/log4j-api-2.14.1.jar
If you are affected, is there an update or any mitigation instructions?
Cheers.
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Fri Dec 10, 2021 9:37 pm

Hello, yes, we can confirm Unimus is sadly affected by this vuln. We have just finished rolling out hotfixes across our infrastructure / backend services.

A hotfix release for Unimus (and Core) itself will be released ASAP tomorrow.

EDIT: a hotfix release is now available viewtopic.php?f=3&p=3285#p3285
normalcy
Posts: 15
Joined: Thu Nov 16, 2017 2:19 am

Fri Dec 10, 2021 10:17 pm

Tomas wrote:
Fri Dec 10, 2021 9:37 pm
Hello, yes, we can confirm Unimus is sadly affected by this vuln. We have just finished rolling out hotfixes across our infrastructure / backend services.

A hotfix release for Unimus (and Core) itself will be released ASAP tomorrow.
Thanks for the quick reply Tomas, thankfully we're not internet exposed which reduces the risk a bit, happy to wait.
For everyone else running around looking for apps using log4j, there is a hash list of vulnerable library versions (1.x might still actually be affected too).

Also greynoise has an IP list being updated of IPs trying exploits.
normalcy
Posts: 15
Joined: Thu Nov 16, 2017 2:19 am

Sat Dec 11, 2021 1:51 am

normalcy wrote:
Fri Dec 10, 2021 10:17 pm
Thanks for the quick reply Tomas, thankfully we're not internet exposed which reduces the risk a bit, happy to wait.
For everyone else running around looking for apps using log4j, there is a hash list of vulnerable library versions (1.x might still actually be affected too).
I know this is not issue here, but just to correct the record, log4j 1.x author says its not vulnerable
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Sat Dec 11, 2021 7:16 pm

Update: we have just released 2.1.4, which addresses the vulnerabilities introduced by CVE-2021-44228. We strongly recommend all users update to this release.
hoeth
Posts: 3
Joined: Wed Feb 20, 2019 3:27 pm

Wed Dec 15, 2021 8:37 am

User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Wed Dec 15, 2021 5:01 pm

2.1.4 is NOT affected by CVE-2021-45046, this vulnerability is conditional, and can not be triggered in Unimus.
bobby_hill
Posts: 1
Joined: Wed May 20, 2020 12:15 am

Thu Dec 16, 2021 12:14 am

Is there another update with log4j v 2.16? I've been told by several other vendors that there is another vulnerability in 2.15.
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Thu Dec 16, 2021 12:22 am

bobby_hill wrote:
Thu Dec 16, 2021 12:14 am
Is there another update with log4j v 2.16? I've been told by several other vendors that there is another vulnerability in 2.15.
This new vulnerability is the CVE-2021-45046 I mentioned in my previous post. Unimus is NOT affected by this, 2.1.4 is safe to use.
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Fri Dec 17, 2021 10:01 pm

Just a small update - since new vulnerabilities continue to be identified in log4j, starting with 2.2.0-Beta1 and going forward, we have removed log4j and log4j-core from Unimus.

While Unimus 2.1.4 is NOT affected by any of the disclosed vulnerabilities (up to the date of this post), if you want to be 100% certain, please feel free to head to the Beta section and deploy 2.2.0-Beta1.

2.2.0 is planned for a GA release in February (current plan for week 2 of Feb.).

Technical notes:

You will still find "log4j-api" and "log4j-to-slf4j" on Unimus' classpath - this is expected and required. These small libraries allow us to use other libraries which utilize log4j for logging, without actually having full log4j on our classpath. These 2 libraries are not, and were not in any way affected by any of the log4j-core issues, and only serve as logging bridges to tie other libraries into our logging backend.

Log4j binaries which are exploitable are either "log4j" (old v1 versions of log4j which have multiple vulns) and "log4j-core", which was the culprit in all the latest CVEs
Post Reply