CVE-2021-44228 (log4j) Apache vulnerability - How does this affect security in ServiceNow?

Kelly Logan
Kilo Sage

‎12-10-2021 07:19 AM

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that's used in countless apps, including those used by large enterprise organizations, several websites reported on last Thursday.

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

Labels:
  • 20,888 Views
27 REPLIES 27

vilmarsteur
Tera Contributor
In response to vilmarsteur

‎12-19-2021 11:57 PM

On Friday ServiceNow releases a (security) hotfix + instructions how to upgrade to 2.16! Thanks guys!

0 Helpfuls

Rasith2
Tera Contributor

‎12-12-2021 08:03 PM

As per the below article, java version (Paris: OpenJDK 1.8.0_231, Quebec: OpenJDK 11.0.8 , Rome: OpenJDK 11.0.9.1 ) have the trust settings set to false and no further changes need to be made. 

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1000959​​​​​​​

Our Java Version is 11.0.8 but, we found many JAR files like (log4j-slf4j-impl) in our AGENT/LIB folder from all MID Servers.  Is this something we need to concern about? Please help.

0 Helpfuls

Krystian Nikolo
Tera Contributor

‎12-13-2021 02:07 AM

Hi,
I found the KM article a bit vague. Should I be worried?

$ lsof /glide/nodes/sandbox_1641*/webapps/glide/itil/WEB-INF/lib/log4j-1.2.17.jar
COMMAND   PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
java    18278 servicenow  mem    REG  253,1   489884 4722547 /glide/nodes/sandbox_16413/webapps/glide/itil/WEB-INF/lib/log4j-1.2.17.jar
java    18278 servicenow 1093r   REG  253,1   489884 4722547 /glide/nodes/sandbox_16413/webapps/glide/itil/WEB-INF/lib/log4j-1.2.17.jar
0 Helpfuls

Frank Tate
Giga Guru
Giga Guru
In response to Krystian Nikolo

‎12-13-2021 10:26 AM

No. The vulnerability only affects log4j version 2. You have 1.2.17. You're good.

0 Helpfuls

J_rgen Blakstad
Tera Contributor

‎12-14-2021 11:24 PM

Hi,

Seems to be an issue with System Properties fix CVE-2021-45046.

What are the consequences of running:
find / -name "log4j-core-*.jar" -exec zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class \;

Will this break functionality of the mid server?

 

Jørgen