Log4j2 vulnerability (CVE-2021-44228)
The material in this document is for informational purposes only. This guide assumes that the most recent version of Rampiva Automate is in use unless otherwise noted in the prerequisites. The products it describes are subject to change without prior notice, due to the manufacturer’s continuous development program. Rampiva makes no representations or warranties with respect to this document or with respect to the products described herein. Rampiva shall not be liable for any damages, losses, costs or expenses, direct, indirect or incidental, consequential or special, arising out of, or related to the use of this material or the products described herein.
Introduction
On December 10th, 2021, the vulnerability CVE-2021-44228 was made public. This vulnerability affects the popular Java module Log4j and allows an attacker to potentially take complete control of the server on which the code is running. Rampiva Automate does not use the Log4j module and is not affected by this vulnerability.
In this article, we’ll explore how to test if your environment is affected by this vulnerability and the mitigations that you can put in place to protect against it.
Why is Rampiva Automate not affected?
Rampiva Automate is built on top of the the Dropwizard framework, which uses which uses the Logback module for logging. This is an alternative to Log4j and is not affected by this vulnerability.
When running Jobs in Rampiva Automate, the vulnerability is mitigated by the use of Logback in Scheduler, the Engine Server and the Jobs which run under the Nuix Engine. This is the case because in this scenario, the Nuix Engine inherits the configuration environment from Rampiva and also uses the Logback module for logging instead of Log4j. However, this configuration environment is not inherited by the Nuix Workers.
In Rampiva Scheduler versions 5.5.1 and 5.5.2, we include additional flags that mitigate the vulnerability even when using the Log4j module.
Note that when using Rampiva Workflow from the native Nuix Workstation scripts menu, Rampiva runs similar to a plugin inside Nuix. In this scenario, running Rampiva Workflow does not mitigate this vulnerability (see section below on how to mitigate manually).
Is my environment vulnerable?
One way to test for the presence of the vulnerability is to run a script that prints a specially crafted message, and to measure the time it takes to run the script. If the system is vulnerable, when logging the message, the system will attempt to connect to a remote machine, and this connection attempt will take a significant amount of time.
See below a sample ECMAScript that you can run (for example in a Script Operation in Rampiva Workflow, or in Nuix Workstation in the Script Console), to test for the presence of the vulnerability:
print("Starting test")
var start = new Date().getTime();
print("Testing ${jndi:ldap://1.1.1.1}")
var end = new Date().getTime();
var time = end - start;
print("Execution time: " + time+" ms");
print("")
if (time>100){
"\n WARNING: System vulnerable to CVE-2021-44228 !"
} else {
"\n Test passed, system likely not vulnerable"
}
If your system is vulnerable, the output will be similar to this:
How can I protect against this?
If your system is vulnerable, consult your software vendor for mitigating measures or for the availability of an updated version of the software.
Additionally, you can use the following command-line flags to mitigate the vulnerability, for example in the Rampiva Execution Profile, or in a batch file used to start Nuix Workstation:
-Dlog4j2.formatMsgNoLookups=true -Dnuix.worker.jvm.arguments="-Dlog4j2.formatMsgNoLookups=true"The first flag mitigates the vulnerability in the Nuix Workstation/Engine, and the second flag mitigates the vulnerability in the Nuix Workers. If you have multiple settings that need to be passed to the Workers (such as memory settings), add them to the second flag inside the quotes, for example:
-Dlog4j2.formatMsgNoLookups=true -Dnuix.worker.jvm.arguments="-Dlog4j2.formatMsgNoLookups=true -Xmx8g"After applying this flag, run the sample script provided in this article to determine if the vulnerability is still present.
Reporting a vulnerability
To report a vulnerability in a Rampiva product, see our Bug Bounty Program. If you are a client, you can also contact our customer support at support@rampiva.com or https://support.rampiva.com.
References
https://downloads.rampiva.com/automate/release/changelog.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228