Skip to first unread message

gthibaul

unread,
Aug 26, 2022, 10:49:00 AMAug 26
to AtoM Users
Hi,

We have installed AtoM 2.6.4 on Ubuntu 18.4.6 last spring. We've taken into account the security pertaining to log4j vulnerability and followed the recommended fix (Security announcement - Log4j vulnerability, December 2021 - AtoM wiki (accesstomemory.org) , yet the IT Central still flag the server as vulnerable to Log4Shell. Is there any explication for this? 

Thanks,

Ghislain

Dan Gillean

unread,
Aug 29, 2022, 11:35:00 AMAug 29
to ICA-AtoM Users
Hi Ghislain, 

According to our security developers, if your server is only running AtoM and you have removed the JndiLookup.class file as recommended on our wiki, then a security scan should not trigger a log4j vulnerability. Is it possible you have other applications that use Java (for example, logging / monitoring applications) installed on the server?

You could try doing a search across the server for other instances of that JndiLookup.class file. I'm not sure how other applications will handle having this file deleted, so if you find a second one from a different application install, I would suggest looking up the recommended mitigation instructions for that application and following those.  

If that's not the case then a bit more information would be helpful - what scanning tool are you using, and what exactly is the error being returned? Did you follow our recommended installation instructions, or have you made any changes (and if so, what)? Anything else about this installation or server that you think would help us better understand the context of this issue? Thanks in advance! 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him


--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/3b1d826d-75b7-4b4a-be5d-0b14c920e35an%40googlegroups.com.

Jim McGrath (uOttawa)

unread,
Sep 21, 2022, 8:30:26 AM (7 days ago) Sep 21
to AtoM Users
We followed the recommended instructions during the configuration of the server.  We did not make any additional alterations.  The server is sole use AtoM, with no other applications installed.  Java is installed, as recommended.  The security scanning tool that our central IT uses is Qualys, we don't do the scans, so I am unsure of the exact error it is producing other than that they said it was still vulnerable.  

Dan Gillean

unread,
Sep 22, 2022, 4:34:12 PM (6 days ago) Sep 22
to ICA-AtoM Users
Hi Jim, 

I think it would be good to try to get more detailed information from your security team about this. It may really depend on the sophistication of the scanning tool - remember, the solution we recommend is not to fully remove Log4J (something that's not possible without also affecting Elasticsearch, from what I understand), but deleting the specific file that leads to the vulnerability. As such, if Qualys is merely throwing a flag because it detects a certain version of Log4j (which is my guess as to what's happening here), that is very different from it actually identifying a reproducible vulnerability. 

It would be very helpful to learn more about exactly what the tool is reporting, so our security team can reproduce the issue and find another solution if required - most of the security tool output reports I've seen include steps to reproduce, specific paths/pages/inputs that were targeted, etc. Any further details you can provide would be welcome. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him

Jim McGrath (uOttawa)

unread,
Sep 23, 2022, 3:43:59 PM (5 days ago) Sep 23
to AtoM Users
I am currently waiting for a response from our IT Security team about what Qualys is returning in its security scan for the server.
Reply all
Reply to author
Forward
0 new messages