Critical vulnerability (Log4Shell) in the Java Log4j

[Bernd Welter]

Hi,

On Friday 09.12.21 a critical vulnerability (Log4Shell - CVE-2021-44228) in the widely used Java library Log4j has been identified. According to the assessment of many authorities, this leads to an extremely critical threat situation, which is why, among others, the Federal Office for Information Security (BSI) in Germany has upgraded its existing cyber security warning to warning level red (see Common Vulnerabilities and Exposures and BSI).

The affected component is also used in some PTV products. This affects both customer installations and the cloud offering of PTV Group.

Concerning further technical questions, please contact your Product Support.
I also recommend to subscribe this topic's stream. I'll respond to it whenever I get infos.

For further details check log4j-latest-information

And: subscribe the product management DEV BLOG!

Thanks to Stephan for the quick statement!

Bernd

[Bernd Welter]

Here's another valuable post from the DEVBLOG - thanks to Haba for the quick info

As the PTV xServer API versions 1.34 and 2.x are affected by the critical vulnerability in the Apache Log4j logging framework we work on updates integrating the security update Log4j 2.15.0. We will announce the new on-premise versions here and recommend to use them as soon as they are available.

On short notice you can take the following measures to mitigate the zero-day exploit: Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS in your system to true.

Please note that this mitigation works for PTV xServer 1.34 and from PTV xServer 2.7 on. In case of using PTV xServer versions 2.0 to 2.6 you have to update them first.

Meanwhile I've been asked how to set the environment variable. I fount this post on stack overflow. It offers several approaches:

• Set system property log4j2.formatMsgNoLookups when you launch VM, passing as java -Dlog4j2.formatMsgNoLookups=true ... .
• Set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
• For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the org/apache/logging/log4j/core/lookup/JndiLookup.class from the classpath - see log4j-core-*.jar.

Felix also mentioned this Youtube video - it shows hot to process the second approach on WINDOWS environments.

Best regards,
Bernd

[Bernd Welter]

And another update from Haba:

PTV xServer 2.25.1 released to fix the Log4j zero-day exploit

The PTV xServer 2.25.1 is released! We fixed the Log4j zero-day exploit and integrated the security update Log4j 2.15.0. The same is true for the also released PTV Content Update Service 2.25.1.

Please check the corresponding release notes here.

For on-premise solutions you can download the latest version from the PTV xServer Customer Area (login and license required)

The cloud solution PTV xServer internet is already patched in the currently used versions. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

And: We are already working on the also affected PTV xServer 1.34 and there will be a corresponding release in the next days. The PTV xServer 1.32 and older versions are not affected by this security issue. The cloud solution PTV xServer internet is already patched in the currently used versions.

Big thank you to all involved colleagues for your quick reaction solving this critical vulnerability!!!

Bernd

[Bernd Welter]

1.34.0.2 released:
https://xserver.ptvgroup.com/forum/view ... =51&t=1515

[Bernd Welter]

v2.25.2 released!

https://xserver.ptvgroup.com/forum/view ... =51&t=1516

[Bernd Welter]

Next patch: xServer 1.34!!!

https://xserver.ptvgroup.com/forum/view ... =51&t=1517

Afaik: both xServer1 and xServer2 are now available with LOG4J 2.16.0 based integration.
No further actions planned for PTV DEV

Feel free to update your existing installation with one of those versions.

Bernd

[Bernd Welter]

devblog: how-to-handle-the-log4j-security-issue-with-ptv-xserver-older-than-1-34

This drives us crazy

[Bernd Welter]

and another patch us waiting for you...

Dear xServer Stakeholders,
The same procedure as every week … the PTV xServer 2.25.3 is released! We integrated the latest security update Log4j 2.17.0 and hopefully this is the last one to fix the current security issues in Log4j. And again the same is true for the just released PTV Content Update Service 2.25.3.

We are working on a similar bugfix release of PTV xServer 1.34 to also integrate there Log4j 2.17.0.

The on-premise solution can be found here:

Developer Zone (login required)

Regards, your transportation services teams

[Bernd Welter]

let me introduce:
1.34.0.4....

https://xserver.ptvgroup.com/forum/view ... =51&t=1519

[Bernd Welter]

Cheers,

the topic seems to be hot - even in 2022. I've been asked by a customer:

Does PTV 1.34 with Log4j2.17.0 use JDBC Appender and JNDI class it not removed

Here's what DEV told me about this (Thanks, Ellen!):

A default installation of an xServer does use the JDBC appender. This only happens if the customer's administrator enables database logging.

Currently (3.1.2022) we integrated Log4J 2.17.0 into the releases provided recently. Apache has released a new Log4J version 2.17.1 on december 28th (check CVE-2021-44832). Further info is available at

• https://venturebeat.com/2021/12/29/patching-log4j-to-version-2-17-1-can-probably-wait
• https://blog.sonatype.com/log4j-another-code-execution-bug-should-you-worry
• https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element

We will keep an eye on this. Please stay subscribed

Bernd