log4j(2) in BBB

[Tobias Fiebig]

Heho,

Just to doublecheck; Log4j2 is affected by CVE-2021-44228.

 

bbb-fsesl-client, bbb-common-web, and etherpad seem to have at least some integration.

 

Is BBB affected by CVE-2021-44228?

 

Met vriendelijke groet,

 

Dr.-Ing. Tobias Fiebig

Assistant Professor / Universitair Docent

TU Delft - Faculty of Technology, Policy and Management (TBM)

 

T +31 (0)15 27 85700

E  t.fi...@tudelft.nl

 

My working day may not be your working day. Please do not feel obliged to reply to this email outside of your normal working hours.

 

[Phill. Whiteside]

Hi,

one of the guys I know who keeps up to date with CVE's does not believe BBB is vulnerable to that issue.

Regards,

Phill.

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/110f85422a6d41c4a50d93fe8406f5eb%40tudelft.nl.

[Phill. Whiteside]

Hi,

an update... as the new version without this bug was only released on 6th December [1] having gone through it deeper with my fellow sysadmin the affected version is in a jar within docker, which means a rebuild of jar (/var/lib/docker/overlay2/xxxxxxx/diff/usr/share/java/log4j-1.2-1.2.17.jar). Greenlight is not affected, but those using LDAP as authentication will be. There are a couple of patches that are available until 2.15 hits the repos[2].

Regards,

Phill

1. https://logging.apache.org/log4j/2.x/changes-report.html

2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

[Ghazi TRIKI]

Hello,

I went through all logging dependencies and BigBlueButton Java applications are using logback. There is no "log4j-core-*" being used so far. BigBlueButton should not be affected by this CVE.

Thanks,

Ghazi

[Phill. Whiteside]

Hi Ghazi,

are you using LDAP for authentication, as the bug seems specifically linked to LDAP, hence the likes of Greenlight being unaffected with the default settings. The jar library may be there as a general "for everyone" but may only come into play with LDAP as it logs things in its own way if you choose LDAP authorisation[1]?  

Regards,

Phill.

1. https://docs.bigbluebutton.org/greenlight/gl-config.html#ldap-auth

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/bf3cfef7-f227-43b7-97e1-ee21f30a1c4cn%40googlegroups.com.

[Ghazi TRIKI]

Hi Phil,

The jar and the affected Java class are not in the BigBlueButton code for sure. Did you find it in a specific Java service?

Thanks,

Ghazi

[Phill. Whiteside]

Hi Ghazi,

thanks for the swift reply. I did some searches to find out where the log system could be. if you issue

locate log4j-1.2 | grep jar

it will let you know that it's in a docker container, as to if it is used? we did not establish that. That ubuntu mangle up release versions by adding their own stuff to the debian version does make the hunt more difficult, hence my stating that if in doubt and using LDAP, be aware. There are a couple of alternative fixes available until the 2.15 hits the repos. The bug report is quite clear that before 2.15, LDAP is vulnerable as is the fact 2.15 has just been released. 

Regards,

Phill.

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/07045a94-10ab-475b-a9c7-525d3edbf590n%40googlegroups.com.

[Steffen Moser]

When searching through our BBB-2.4-rc-7 server, there are two areas where I stumbled across log4j:

  /usr/share/bbb-web/WEB-INF/lib/log4j-over-slf4j-1.7.25.jar
  /usr/share/bbb-web/WEB-INF/lib/tomcat-embed-logging-log4j-8.5.2.jar

But there does not seem to be a "log4j-{VERSION}.jar", so I think we can carefully say that BBB itself is not affected, can't we?

Kind regards,
Steffen

[Phill. Whiteside]

Hi Steffen,

when I did the locate with grep it shows as being in a docker container as part of java that runs there. 

root@dev-bbb:~# locate log4j-1.2 | grep jar
/var/lib/docker/overlay2/xxxxxxxxx/diff/usr/share/java/log4j-1.2-1.2.17.jar
/var/lib/docker/overlay2/xxxxxxxxx/diff/usr/share/java/log4j-1.2.jar
/var/lib/docker/overlay2/xxxxxxxxx/diff/usr/share/maven-repo/log4j/log4j/1.2.17/log4j-1.2.17.jar
/var/lib/docker/overlay2/xxxxxxxxx/diff/usr/share/maven-repo/log4j/log4j/1.2.x/log4j-1.2.x.jar

This points to it being there, although I repeat, if you are not using LDAP you have no concerns, if you are using LDAP then you need to review everything that is linked to the authorisation system with a view to manually patch or grab the latest log4j and install it, rebuild everything yourself. If you do a virgin install of rc-7 and it is not there, it would point to it having been there in an earlier rc and hanging around.

Regards,

Phill.

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/68850218-54dd-4667-99b9-0c825692f27bn%40googlegroups.com.

[Ghazi TRIKI]

Hello everyone,

I think this case is closed since the CVE mitigation is clearly mentioning "or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)". I have double checked all the transitive log4j dependencies yesterday, unzipped them and 100% sure that the class "JndiLookup" is not compiled with any of them. Only log4j-core-*.jar contains the " JndiLookup" class. BigBlueButton JVM applications are using logback for logging. I went looking further, even the bbb-lti does not have that class package.

@Phil, just a side note; the locate command you ran brings "maven-repo", I guess you are compiling BBB JVM apps, I don't want people to think BBB is concerned if they are doing so and bring any " log4j-core-*.jar" in the locate result when building other projects on their BBB machine 😊

Thanks,

Ghazi

[Emmy Graugans]

> just a side note; the locate command you ran brings "maven-repo", I guess you are compiling BBB JVM apps, I don't want people to think BBB is concerned if they are doing so and bring any " log4j-core-*.jar" in the locate result when building other projects on their BBB machine 😊

Well, we certainly never built a JVM-app on our BBB-Servers, yet we also have the "maven-repo" (and the other without that) within docker. In fact, we have three sets of these. My guess would be, that the files are part of the libreoffice-docker setup. (the files are present in both bbb2.3 setup and bbb2.4 setup.)

Greetings,

Emmy

[bayden10]

Hi all,

Please check and update if required with the Log4j Attack Surface Page here:

https://github.com/YfryTchsGD/Log4jAttackSurface

~b10

[Phill. Whiteside]

Hi Ghazi

Nope, we do not compile anything (well, not at the time of that email). The machine was a virgin 18.04 ubuntu server with 2.4 rc1 on it. Since then, it's had newer versions applied.

 If you do get chance to do a search on a clean rc7, that'd be of help. Our dev-bbb machine is now currently setup for a GreenLight issue that we do want to get resolved quickly[1].  As a part of testing, we have compiled a new version of GreenLight, so I cannot vouch to say it is a completely virgin install at present, but the first search pre-dates the re-compile that we carried out and could possibly be a hangover from an earlier rc ?).

Regards,

Phill.

1. https://github.com/bigbluebutton/greenlight/issues/3029

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/b0e0416b-bd29-4bd8-85f7-1108cbc3d09en%40googlegroups.com.

[Reimar Bauer]

Hi there,

sorry for getting back to this.

one of our scanners found a problem on one machine.

Path : /var/lib/docker/overlay2/6f3ce3c8ed71abcb2509a23eab19d5ddbbaa578d31233867cacf1e90fe060e79/diff/usr/share/maven-repo/org/
apache/ant/ant-apache-log4j/1.10.9/ant-apache-log4j-1.10.9.jar
Installed version : 1.10.9

stat of that file shows

Modify: 2021-04-17 12:45:12.000000000 +0000
Change: 2022-01-02 09:32:05.481735261 +0000

How can I get rid of that?

best regards

Reimar

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/CABmcvjh9Dpvv%3DBfmKTSeQWRzweUcveD9%3DHj_W%3DApeNQRjLgr1w%40mail.gmail.com.

[Reimar Bauer]

seems that overlay2 comes from a customized greenlight.

[Felipe Cecagno]

As far as I can tell, there's no Java code running on Greenlight.

--

   Felipe Cecagno

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/CADfaKO88APWQYCo7Hca-RzEDBEXbOfSSMx%3D%2B0-wP8uzaN2xosg%40mail.gmail.com.

[Fred Dixon]

Hi Reimar,

You can update the contents of

  /usr/share/bbb-libreoffice/docker/Dockerfile

with the following

FROM openjdk:11-jre-bullseye
ENV DEBIAN_FRONTEND noninteractive

RUN echo "deb http://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
RUN apt update && apt -y install locales-all fontconfig libxt6 libxrender1
RUN apt update && apt -y install -t bullseye-backports libreoffice && rm /usr/share/java/ant-apache-log4j-1.10.9.jar && rm /usr/share/maven-repo/org/apache/ant/ant-apache-log4j/1.10.9/ant-apache-log4j-1.10.9.jar

and run

cd /usr/share/bbb-libreoffice/docker
docker build -t bbb-soffice .

and then run the scan again and let us know if it still finds ant-apache-log4j-1.10.9.jar.  This will be in the upcoming 2.4.3 release.

Regards,... Fred

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/CANXxU75U3np5hD4b8OLs5c0GKXSgjJW4Fb%3DwMg1xwGRm9Lk0Zg%40mail.gmail.com.

--

BigBlueButton Developer

http://bigbluebutton.org/

Like BigBlueButton?  Tweet us at @bigbluebutton

[ReimarBauer]

Hi Felipe Cecagno

my mistake sorry. 

I removed old images by 
docker rmi `docker images -aq` 

applied fix/patch by Fred and wait now for the next scan result ;)

server still works, can convert odt docs, so I don't broke something else ;)

regards

Reimar

[Fred Dixon]

> server still works, can convert odt docs, so I don't broke something else ;)

Yeah, we don't think it's even used, but it's good to explicitly remove it nonetheless.

https://github.com/bigbluebutton/bigbluebutton/commit/e7773468fb45d86200ae28bdf8c39f4ba487cf88

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/834d97dc-10df-4650-a5ad-018213d7012an%40googlegroups.com.