CVE-2021-45046 Log4Shell

What is CVE-2021-45046 (Log4Shell)?

In summary,

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

National Vulnerability Database

Is Cascade CMS affected by CVE-2021-45046 (Log4Shell)?

CVE-2021-45046 does not impact Cascade Cloud as of 3/8/2022, because the latest version of Log4j 2.x is in use which disables the affected JNDI functionality by default. 

Note that application logging configuration is not available within the application itself. It could only be customized with direct access to the application server.

On-premise distributions

On-premise distributions of Cascade CMS are also not impacted by default. We do not make use of the affected JNDI substitution in our distribution. That said, if Cascade CMS on-premise logging has been customized in any way, ensure the affected JNDI substitution is not being used.

Further mitigation

You can take the additional step of removing the affected class from the log4j jar file. You'll need to do this for each and every upgrade until another solution exists.

To do this:

  • Navigate to tomcat/webapps within the Cascade CMS home directory
  • You'll need to modify the log4j file not only in the unpacked ROOT directory but also in the bundled ROOT.war if it exists.
  • For the unpacked version:
    • Navigate to ROOT/WEB-INF/lib
    • With access to the zip tool, you can run:

      $ zip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
      $ deleting: org/apache/logging/log4j/core/lookup/JndiLookup.class
      If you don't have access to zip, you'll need to use something like like the jar or unzip tool to unpack, remove the affected class and repack it.

  • For the version bundled in the WAR file:
    • Navigate to ROOT/WEB-INF/lib
    • Unpack the WAR file to a temp directory from the webapps directory:

      $ mkdir temp
      $ cd temp
      $ jar xzf ../ROOT.war
    • With access to the zip tool, you can run:

      $ zip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
      $ deleting: org/apache/logging/log4j/core/lookup/JndiLookup.class
      If you don't have access to zip, you'll need to use something like like the jar tool to unpack, remove the affected class and repack it.

    • Repack the WAR file. From inside the temp directory:

      jar cvf ROOT.war *
    • Replace the older one ensuring that you maintain the original as backup. From webapps:

      rm ROOT.war
      mv temp/ROOT.war .
      rm -rf temp
  • Alternatively, if you haven't customized the unpacked WAR file, you can delete the entire ROOT directory, skip the first step and make the modifications to the ROOT.war only.

On-premise distributions older than 8.x

As was the case for CVE-2021-44228, CVE-2021-45046 does not impact on-premise distributions of Cascade CMS older than 8.x because message lookup substitution is not supported in our use of log4j.