CVE-2021-4104

What is CVE-2021-4104

In summary,

A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender. This flaw has been filed for Log4j 1.x, the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228

RedHat Customer Portal

Is Cascade CMS affected by CVE-2021-4104?

CVE-2021-4104 does not impact Cascade Cloud as of 3/8/2022 or on-premise Cascade CMS 8.20, because the latest version of Log4j 2.x is in use and is therefore not impacted by this particular vulnerability.

Note that application logging configuration is not available within the application itself. It could only be customized with direct access to the application server.

On-premise distributions older than Cascade CMS 8.20

On-premise distributions of Cascade CMS are also not impacted by default. We do not make use of the affected JMSAppender in our distribution. That said, if Cascade CMS on-premise logging has been customized in any way, ensure the affected JMSAppender is not being used.

Further mitigation

You can take the additional step of removing the affected class from the log4j jar file. You'll need to do this for each and every upgrade until another solution exists.

To do this:

  • Navigate to tomcat/webapps within the Cascade CMS home directory
  • You'll need to modify the log4j file not only in the unpacked ROOT directory but also in the bundled ROOT.war if it exists.
  • For the unpacked version:
    • Navigate to ROOT/WEB-INF/lib
    • With access to the zip tool, you can run:

      $ zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class
      $ deleting: org/apache/log4j/net/JMSAppender.class
      If you don't have access to zip, you'll need to use something like like the jar or unzip tool to unpack, remove the affected class and repack it.

  • For the version bundled in the WAR file:
    • Navigate to ROOT/WEB-INF/lib
    • Unpack the WAR file to a temp directory from the webapps directory:

      $ mkdir temp
      $ cd temp
      $ jar xzf ../ROOT.war
    • With access to the zip tool, you can run: 

      $ zip -d WEB-INF/lib/log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class
      $ deleting: org/apache/log4j/net/JMSAppender.class
      If you don't have access to zip, you'll need to use something like like the jar tool to unpack, remove the affected class and repack it.

    • Repack the WAR file. From inside the temp directory:

      jar cvf ROOT.war *
    • Replace the older one ensuring that you maintain the original as backup. From webapps:

      rm ROOT.war
      mv temp/ROOT.war .
      rm -rf temp
  • Alternatively, if you haven't customized the unpacked WAR file, you can delete the entire ROOT directory, skip the first step and make the modifications to the ROOT.war only.

This vulnerability is a less serious variation of the CVE-2021-44228 which is also mitigated in Cascade CMS.