General discussion of anything Unimus
-
normalcy
- Posts: 15
- Joined: Thu Nov 16, 2017 2:19 am
Fri Dec 10, 2021 9:30 pm
Hi, is Unimus affected by
CVE-2021-44228?
Quick grep of the unimus jar shows a couple of log4j strings but not sure if you actually use the framework itself?
Code: Select all
# zcat /opt/unimus/Unimus.jar |grep -i log4j
gzip: /opt/unimus/Unimus.jar has more than one entry--rest ignored
Name: BOOT-INF/lib/log4j-to-slf4j-2.14.1.jar
Name: BOOT-INF/lib/log4j-api-2.14.1.jar
If you are affected, is there an update or any mitigation instructions?
Cheers.
-
Tomas
- Posts: 1231
- Joined: Sat Jun 25, 2016 12:33 pm
Fri Dec 10, 2021 9:37 pm
Hello, yes, we can confirm Unimus is sadly affected by this vuln. We have just finished rolling out hotfixes across our infrastructure / backend services.
A hotfix release for Unimus (and Core) itself will be released ASAP tomorrow.
EDIT: a hotfix release is now available
viewtopic.php?f=3&p=3285#p3285
-
Tomas
- Posts: 1231
- Joined: Sat Jun 25, 2016 12:33 pm
Sat Dec 11, 2021 7:16 pm
Update: we have just released 2.1.4, which addresses the vulnerabilities introduced by CVE-2021-44228. We strongly recommend all users update to this release.
-
hoeth
- Posts: 3
- Joined: Wed Feb 20, 2019 3:27 pm
-
Tomas
- Posts: 1231
- Joined: Sat Jun 25, 2016 12:33 pm
Wed Dec 15, 2021 5:01 pm
2.1.4 is NOT affected by CVE-2021-45046, this vulnerability is conditional, and can not be triggered in Unimus.
-
bobby_hill
- Posts: 1
- Joined: Wed May 20, 2020 12:15 am
Thu Dec 16, 2021 12:14 am
Is there another update with log4j v 2.16? I've been told by several other vendors that there is another vulnerability in 2.15.
-
Tomas
- Posts: 1231
- Joined: Sat Jun 25, 2016 12:33 pm
Thu Dec 16, 2021 12:22 am
bobby_hill wrote: ↑Thu Dec 16, 2021 12:14 am
Is there another update with log4j v 2.16? I've been told by several other vendors that there is another vulnerability in 2.15.
This new vulnerability is the CVE-2021-45046 I mentioned in my previous post. Unimus is NOT affected by this, 2.1.4 is safe to use.
-
Tomas
- Posts: 1231
- Joined: Sat Jun 25, 2016 12:33 pm
Fri Dec 17, 2021 10:01 pm
Just a small update - since new vulnerabilities continue to be identified in log4j, starting with 2.2.0-Beta1 and going forward, we have removed log4j and log4j-core from Unimus.
While Unimus 2.1.4 is NOT affected by any of the disclosed vulnerabilities (up to the date of this post), if you want to be 100% certain, please feel free to head to the Beta section and deploy 2.2.0-Beta1.
2.2.0 is planned for a GA release in February (current plan for week 2 of Feb.).
Technical notes:
You will still find "log4j-api" and "log4j-to-slf4j" on Unimus' classpath - this is expected and required. These small libraries allow us to use other libraries which utilize log4j for logging, without actually having full log4j on our classpath. These 2 libraries are not, and were not in any way affected by any of the log4j-core issues, and only serve as logging bridges to tie other libraries into our logging backend.
Log4j binaries which are exploitable are either "log4j" (old v1 versions of log4j which have multiple vulns) and "log4j-core", which was the culprit in all the latest CVEs