Page 1 of 1

[Solved] Is Unimus vulnerable to CVE-2021-44228?

Posted: Fri Dec 10, 2021 9:30 pm
by normalcy
Hi, is Unimus affected by CVE-2021-44228?
Quick grep of the unimus jar shows a couple of log4j strings but not sure if you actually use the framework itself?

Code: Select all

# zcat /opt/unimus/Unimus.jar |grep -i log4j
gzip: /opt/unimus/Unimus.jar has more than one entry--rest ignored
Name: BOOT-INF/lib/log4j-to-slf4j-2.14.1.jar
Name: BOOT-INF/lib/log4j-api-2.14.1.jar
If you are affected, is there an update or any mitigation instructions?
Cheers.

Re: Is Unimus vulnerable to CVE-2021-44228?

Posted: Fri Dec 10, 2021 9:37 pm
by Tomas
Hello, yes, we can confirm Unimus is sadly affected by this vuln. We have just finished rolling out hotfixes across our infrastructure / backend services.

A hotfix release for Unimus (and Core) itself will be released ASAP tomorrow.

EDIT: a hotfix release is now available viewtopic.php?f=3&p=3285#p3285

Re: Is Unimus vulnerable to CVE-2021-44228?

Posted: Fri Dec 10, 2021 10:17 pm
by normalcy
Tomas wrote:
Fri Dec 10, 2021 9:37 pm
Hello, yes, we can confirm Unimus is sadly affected by this vuln. We have just finished rolling out hotfixes across our infrastructure / backend services.

A hotfix release for Unimus (and Core) itself will be released ASAP tomorrow.
Thanks for the quick reply Tomas, thankfully we're not internet exposed which reduces the risk a bit, happy to wait.
For everyone else running around looking for apps using log4j, there is a hash list of vulnerable library versions (1.x might still actually be affected too).

Also greynoise has an IP list being updated of IPs trying exploits.

Re: Is Unimus vulnerable to CVE-2021-44228?

Posted: Sat Dec 11, 2021 1:51 am
by normalcy
normalcy wrote:
Fri Dec 10, 2021 10:17 pm
Thanks for the quick reply Tomas, thankfully we're not internet exposed which reduces the risk a bit, happy to wait.
For everyone else running around looking for apps using log4j, there is a hash list of vulnerable library versions (1.x might still actually be affected too).
I know this is not issue here, but just to correct the record, log4j 1.x author says its not vulnerable

Re: [Solved] Is Unimus vulnerable to CVE-2021-44228?

Posted: Sat Dec 11, 2021 7:16 pm
by Tomas
Update: we have just released 2.1.4, which addresses the vulnerabilities introduced by CVE-2021-44228. We strongly recommend all users update to this release.

Re: [Solved] Is Unimus vulnerable to CVE-2021-44228?

Posted: Wed Dec 15, 2021 8:37 am
by hoeth

Re: [Solved] Is Unimus vulnerable to CVE-2021-44228?

Posted: Wed Dec 15, 2021 5:01 pm
by Tomas
2.1.4 is NOT affected by CVE-2021-45046, this vulnerability is conditional, and can not be triggered in Unimus.

Re: [Solved] Is Unimus vulnerable to CVE-2021-44228?

Posted: Thu Dec 16, 2021 12:14 am
by bobby_hill
Is there another update with log4j v 2.16? I've been told by several other vendors that there is another vulnerability in 2.15.

Re: [Solved] Is Unimus vulnerable to CVE-2021-44228?

Posted: Thu Dec 16, 2021 12:22 am
by Tomas
bobby_hill wrote:
Thu Dec 16, 2021 12:14 am
Is there another update with log4j v 2.16? I've been told by several other vendors that there is another vulnerability in 2.15.
This new vulnerability is the CVE-2021-45046 I mentioned in my previous post. Unimus is NOT affected by this, 2.1.4 is safe to use.

Re: [Solved] Is Unimus vulnerable to CVE-2021-44228?

Posted: Fri Dec 17, 2021 10:01 pm
by Tomas
Just a small update - since new vulnerabilities continue to be identified in log4j, starting with 2.2.0-Beta1 and going forward, we have removed log4j and log4j-core from Unimus.

While Unimus 2.1.4 is NOT affected by any of the disclosed vulnerabilities (up to the date of this post), if you want to be 100% certain, please feel free to head to the Beta section and deploy 2.2.0-Beta1.

2.2.0 is planned for a GA release in February (current plan for week 2 of Feb.).

Technical notes:

You will still find "log4j-api" and "log4j-to-slf4j" on Unimus' classpath - this is expected and required. These small libraries allow us to use other libraries which utilize log4j for logging, without actually having full log4j on our classpath. These 2 libraries are not, and were not in any way affected by any of the log4j-core issues, and only serve as logging bridges to tie other libraries into our logging backend.

Log4j binaries which are exploitable are either "log4j" (old v1 versions of log4j which have multiple vulns) and "log4j-core", which was the culprit in all the latest CVEs