log4j(2) in BBB

1,801 views
Skip to first unread message

Tobias Fiebig

unread,
Dec 10, 2021, 11:24:44 AM12/10/21
to bigblueb...@googlegroups.com

Heho,

Just to doublecheck; Log4j2 is affected by CVE-2021-44228.

 

bbb-fsesl-client, bbb-common-web, and etherpad seem to have at least some integration.

 

Is BBB affected by CVE-2021-44228?

 

Met vriendelijke groet,

 

Dr.-Ing. Tobias Fiebig

Assistant Professor / Universitair Docent

TU Delft - Faculty of Technology, Policy and Management (TBM)

 

T +31 (0)15 27 85700

t.fi...@tudelft.nl

 

My working day may not be your working day. Please do not feel obliged to reply to this email outside of your normal working hours.

 

Phill. Whiteside

unread,
Dec 10, 2021, 11:39:17 AM12/10/21
to bigblueb...@googlegroups.com
Hi,

one of the guys I know who keeps up to date with CVE's does not believe BBB is vulnerable to that issue.

Regards,
Phill.

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/110f85422a6d41c4a50d93fe8406f5eb%40tudelft.nl.

Phill. Whiteside

unread,
Dec 10, 2021, 1:33:43 PM12/10/21
to bigblueb...@googlegroups.com
Hi,

an update... as the new version without this bug was only released on 6th December [1] having gone through it deeper with my fellow sysadmin the affected version is in a jar within docker, which means a rebuild of jar (/var/lib/docker/overlay2/xxxxxxx/diff/usr/share/java/log4j-1.2-1.2.17.jar). Greenlight is not affected, but those using LDAP as authentication will be. There are a couple of patches that are available until 2.15 hits the repos[2].

Regards,
Phill

Ghazi TRIKI

unread,
Dec 10, 2021, 2:13:20 PM12/10/21
to BigBlueButton-dev
Hello,

I went through all logging dependencies and BigBlueButton Java applications are using logback. There is no "log4j-core-*" being used so far. BigBlueButton should not be affected by this CVE.

Thanks,
Ghazi

Phill. Whiteside

unread,
Dec 10, 2021, 3:23:48 PM12/10/21
to bigblueb...@googlegroups.com
Hi Ghazi,

are you using LDAP for authentication, as the bug seems specifically linked to LDAP, hence the likes of Greenlight being unaffected with the default settings. The jar library may be there as a general "for everyone" but may only come into play with LDAP as it logs things in its own way if you choose LDAP authorisation[1]?  

Regards,
Phill.

Ghazi TRIKI

unread,
Dec 10, 2021, 3:26:08 PM12/10/21
to BigBlueButton-dev
Hi Phil,

The jar and the affected Java class are not in the BigBlueButton code for sure. Did you find it in a specific Java service?

Thanks,
Ghazi

Phill. Whiteside

unread,
Dec 10, 2021, 3:35:33 PM12/10/21
to bigblueb...@googlegroups.com
Hi Ghazi,

thanks for the swift reply. I did some searches to find out where the log system could be. if you issue

locate log4j-1.2 | grep jar

it will let you know that it's in a docker container, as to if it is used? we did not establish that. That ubuntu mangle up release versions by adding their own stuff to the debian version does make the hunt more difficult, hence my stating that if in doubt and using LDAP, be aware. There are a couple of alternative fixes available until the 2.15 hits the repos. The bug report is quite clear that before 2.15, LDAP is vulnerable as is the fact 2.15 has just been released. 

Regards,
Phill.

Steffen Moser

unread,
Dec 11, 2021, 4:49:19 AM12/11/21
to BigBlueButton-dev
When searching through our BBB-2.4-rc-7 server, there are two areas where I stumbled across log4j:

  /usr/share/bbb-web/WEB-INF/lib/log4j-over-slf4j-1.7.25.jar
  /usr/share/bbb-web/WEB-INF/lib/tomcat-embed-logging-log4j-8.5.2.jar

But there does not seem to be a "log4j-{VERSION}.jar", so I think we can carefully say that BBB itself is not affected, can't we?

Kind regards,
Steffen

Phill. Whiteside

unread,
Dec 11, 2021, 5:52:37 AM12/11/21
to bigblueb...@googlegroups.com
Hi Steffen,

when I did the locate with grep it shows as being in a docker container as part of java that runs there. 

root@dev-bbb:~# locate log4j-1.2 | grep jar
/var/lib/docker/overlay2/xxxxxxxxx/diff/usr/share/java/log4j-1.2-1.2.17.jar
/var/lib/docker/overlay2/xxxxxxxxx/diff/usr/share/java/log4j-1.2.jar
/var/lib/docker/overlay2/xxxxxxxxx/diff/usr/share/maven-repo/log4j/log4j/1.2.17/log4j-1.2.17.jar
/var/lib/docker/overlay2/xxxxxxxxx/diff/usr/share/maven-repo/log4j/log4j/1.2.x/log4j-1.2.x.jar

This points to it being there, although I repeat, if you are not using LDAP you have no concerns, if you are using LDAP then you need to review everything that is linked to the authorisation system with a view to manually patch or grab the latest log4j and install it, rebuild everything yourself. If you do a virgin install of rc-7 and it is not there, it would point to it having been there in an earlier rc and hanging around.

Regards,
Phill.

Ghazi TRIKI

unread,
Dec 11, 2021, 8:55:09 AM12/11/21
to BigBlueButton-dev
Hello everyone,

I think this case is closed since the CVE mitigation is clearly mentioning "or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)". I have double checked all the transitive log4j dependencies yesterday, unzipped them and 100% sure that the class "JndiLookup" is not compiled with any of them. Only log4j-core-*.jar contains the " JndiLookup" class. BigBlueButton JVM applications are using logback for logging. I went looking further, even the bbb-lti does not have that class package.

@Phil, just a side note; the locate command you ran brings "maven-repo", I guess you are compiling BBB JVM apps, I don't want people to think BBB is concerned if they are doing so and bring any " log4j-core-*.jar" in the locate result when building other projects on their BBB machine 😊

Thanks,
Ghazi

Emmy Graugans

unread,
Dec 13, 2021, 2:23:34 PM12/13/21
to BigBlueButton-dev
> just a side note; the locate command you ran brings "maven-repo", I guess you are compiling BBB JVM apps, I don't want people to think BBB is concerned if they are doing so and bring any " log4j-core-*.jar" in the locate result when building other projects on their BBB machine 😊

Well, we certainly never built a JVM-app on our BBB-Servers, yet we also have the "maven-repo" (and the other without that) within docker. In fact, we have three sets of these. My guess would be, that the files are part of the libreoffice-docker setup. (the files are present in both bbb2.3 setup and bbb2.4 setup.)

Greetings,
Emmy

bayden10

unread,
Dec 13, 2021, 9:41:38 PM12/13/21
to BigBlueButton-dev
Hi all,

Please check and update if required with the Log4j Attack Surface Page here:

~b10

Phill. Whiteside

unread,
Dec 17, 2021, 4:28:00 PM12/17/21
to bigblueb...@googlegroups.com
Hi Ghazi

Nope, we do not compile anything (well, not at the time of that email). The machine was a virgin 18.04 ubuntu server with 2.4 rc1 on it. Since then, it's had newer versions applied.
 If you do get chance to do a search on a clean rc7, that'd be of help. Our dev-bbb machine is now currently setup for a GreenLight issue that we do want to get resolved quickly[1].  As a part of testing, we have compiled a new version of GreenLight, so I cannot vouch to say it is a completely virgin install at present, but the first search pre-dates the re-compile that we carried out and could possibly be a hangover from an earlier rc ?).

Regards,
Phill.

Reimar Bauer

unread,
Feb 9, 2022, 8:48:51 AM2/9/22
to bigblueb...@googlegroups.com
Hi there,
sorry for getting back to this.

one of our scanners found a problem on one machine.

Path : /var/lib/docker/overlay2/6f3ce3c8ed71abcb2509a23eab19d5ddbbaa578d31233867cacf1e90fe060e79/diff/usr/share/maven-repo/org/
apache/ant/ant-apache-log4j/1.10.9/ant-apache-log4j-1.10.9.jar
Installed version : 1.10.9

stat of that file shows

Modify: 2021-04-17 12:45:12.000000000 +0000
Change: 2022-01-02 09:32:05.481735261 +0000


How can I get rid of that?

best regards
Reimar

Reimar Bauer

unread,
Feb 9, 2022, 9:30:04 AM2/9/22
to bigblueb...@googlegroups.com
seems that overlay2 comes from a customized greenlight.



Felipe Cecagno

unread,
Feb 9, 2022, 10:24:19 AM2/9/22
to bigblueb...@googlegroups.com
As far as I can tell, there's no Java code running on Greenlight.

--
   
Felipe Cecagno


Fred Dixon

unread,
Feb 9, 2022, 12:17:55 PM2/9/22
to BigBlueButton-dev
Hi Reimar,

You can update the contents of

  /usr/share/bbb-libreoffice/docker/Dockerfile

with the following

FROM openjdk:11-jre-bullseye
ENV DEBIAN_FRONTEND noninteractive

RUN echo "deb http://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
RUN apt update && apt -y install locales-all fontconfig libxt6 libxrender1
RUN apt update && apt -y install -t bullseye-backports libreoffice && rm /usr/share/java/ant-apache-log4j-1.10.9.jar && rm /usr/share/maven-repo/org/apache/ant/ant-apache-log4j/1.10.9/ant-apache-log4j-1.10.9.jar

and run

cd /usr/share/bbb-libreoffice/docker
docker build -t bbb-soffice .

and then run the scan again and let us know if it still finds ant-apache-log4j-1.10.9.jar.  This will be in the upcoming 2.4.3 release.

Regards,... Fred



--
BigBlueButton Developer

Like BigBlueButton?  Tweet us at @bigbluebutton

ReimarBauer

unread,
Feb 9, 2022, 1:18:03 PM2/9/22
to BigBlueButton-dev
Hi Felipe Cecagno

my mistake sorry. 

I removed old images by 
docker rmi `docker images -aq` 

applied fix/patch by Fred and wait now for the next scan result ;)

server still works, can convert odt docs, so I don't broke something else ;)

regards
Reimar

Fred Dixon

unread,
Feb 9, 2022, 1:24:11 PM2/9/22
to BigBlueButton-dev
> server still works, can convert odt docs, so I don't broke something else ;)

Yeah, we don't think it's even used, but it's good to explicitly remove it nonetheless.




Reply all
Reply to author
Forward
0 new messages