Our response to Log4J zero-day vulnerability
We are summarising in this post our considerations with respect to the infamous Log4Shell vulnerability, code CVE-2021-44228. The understanding of the vulnerability is still evolving and the reports are being updated, we are monitoring them closely and adapting as needed. The following information is based on our current understanding of the vulnerability and will be updated as new information is released.
A quick status of our products
Most important information first, following our own investigation as well as our understanding of the reported vulnerability the situation is as follows:
- GeoServer, GeoWebCache and MapStore are not vulnerable to CVE-2021-44228 since they do not use Log4J2 but Log4J
- GeoFence versions from 3.3.0 are not vulnerable to CVE-2021-44228 since they do not use Log4J2 but Log4J while GeoFence versions older than that are vulnerable since they use Log4J2
- GeoNetwork is vulnerable to CVE-2021-44228 since it does use Log4J2
If you are running a version of GeoFence that is older than 3.3.0 we do recommend to upgrade to a more recent GeoFence version. If you are running a vulnerable version of GeoNetwork we are going to provide more information below.
Now, even if you are not using versions that are not vulnerable to the Log4shell vulnerability, keep reading since there are other important information that we are sharing.
It is crucial to understand that Log4J and Log4J2 are not the same library: the 2 in the name is not just a version number, Log4J2 is a full rewrite of Log4J. As a consequence Log4J is not vulnerable in the same way reported in CVE-2021-44228: our current understanding is that it cannot be made to perform a remote code execution by simply crafting an appropriate HTTP request.
However, Log4J 1.2 has a couple of smaller vulnerabilities that might be exploited but it is important to note that Log4J default configuration is not prone to these vulnerabilities (you shall be using JMS to shop logs or the Socket class somehow) and the attacker would need to go and modify the logging configuration files for Log4J in order to trigger it. In any case here below we provide information on how to go further in order to protect yourself even from these vulnerabilities.
Complete status of products with detailed guidance
Here below we provide a complete status update on our products with respect to the vulnerabilities of both Log4J and Log4J2. You can access the live version of the report here.
What if I am using Docker?
As far as GeoSolutions docker images are concerned, if you are using them as a base for your custom image by adding a customized GeoServer or MapStore WAR file on top of them, you should just patch the WAR as stated above and rebuild the image. if instead you are just pulling the docker images from the Docker Hub and using them without any customization, we are going to release shortly updated images for all the relevant products.
Free help to everybody!
Our technical leads Lorenzo Natali (MapStore), Emanuele Tajariol (GeoNetwork), Alessio Fabiani (GeoNode), Andrea Aime and Nuno Oliveira (GeoServer) will be online willing to help for free anyone who needs some clarifications this Friday, the 17th from 2:30 pm CET / 8:30 am EST to 7 pm CET / 1 pm EST. You can book a 15 minutes free appointment using this calendar to run a quick assessment.
Some final words
Such a well-known vulnerability has caused many organization to react immediately (security first) and seek guidance. Our corporate emails have been flooded by request for help and guidance by a number of organizations. While we do understand that this part of our Open Source committment and we are happy to carry the burden, it is important to reinforce that at GeoSolutions, we have created a complete offering to cover the need for professional services to support the implementation, deployment and maintenance of platforms based on open source geospatial products. It includes:
If your organization is using open source products like GeoServer, MapStore, GeoNode and GeoNetwork it is probably time to consider the purchase of a subscription plan or an enterprise support plan to partner with the experts and support the products evolution.
We are also actively building a global network of certified partners of excellence who would leverage its technical capability and expertise in order to fill this gap and bring their skills and offering to the next level. For more information visit the current partners page
The GeoSolutions team,