1

I've some issues in porting some application running in a JBoss 7.1 environment from log4j to log4j2.

I've ported my SW to log4j2 (2.17.1), but that is not enough. I'm understanding that JBoss configuration changes - not so simple - are needed to obtain the applications run correctly and write log-data on the correct log-files.

Have you some hints to aid me?

Based on what I read on the Redhat portal [customer access only] I wonder if a port for front-end applications is necessary.

No version of JBoss EAP 6.x/7.x is vulnerable to CVE-2021-44228 currently thanks to the usage of JBoss Logging framework instead of Log4J. Please refer to the security bulletin - RHSB-2021-009 for further information on this vulnerability and impacted Red Hat products. [...] EAP 7.x's log manager does port in log4j JMSAppender code so is similarly impacted by CVE-2021-4104 with enabled JMSAppenders. But in further reviewing this vulnerability, we have determined this can only be considered a true vulnerability when the attacker has write access to the Log4j configuration to add a JMSAppender to the attacker's JMS Broker.

halfer
  • 19,824
  • 17
  • 99
  • 186
SJB
  • 71
  • 8
  • As I understand it, the Log4J vuln could be made safe without upgrading it, by turning off a facility that could pull in remote code (and thus perform a remote code execution). If you have found that you are running a vulnerable library, could you just throw this switch? – halfer Feb 08 '22 at 19:20
  • The switch should be something like {nolookup} in the correct line of the JBoss log conf file. But I would like to understand if I may act in other ways to make the best choice. I was asked not to change the JBoss configurations; a request, the latter, certainly impossible. – SJB Feb 09 '22 at 14:28

1 Answers1

3

JBoss EAP 7.1 is not vulnerable or affected by this CVE. This version of JBoss EAP does not include log4j 2. JBoss EAP 7.4 does include the log4j-api, but does not include log4j-core and therefore it is also not vulnerable.

In short JBoss EAP is not vulnerable and there is nothing in its configuration you need to change.

halfer
  • 19,824
  • 17
  • 99
  • 186
James R. Perkins
  • 16,800
  • 44
  • 60
  • From your answer I understand that it isn't necessary to change the configuration of JBoss 7.1 EAP. I wonder if the applications and servlets that run under JBoss but which include in log4j.jar (version 1.x) are instead at risk of various CVEs. At this point I think it is best to port all applications and servlets to use common-logging and leave the use of log4j via JBoss. I err? – SJB Feb 10 '22 at 06:27
  • 1
    I don’t recall exactly, but I don’t think any components in JBoss EAP use log4j. If they do they definitely do not configure the log manager nor use any specific appenders. I do think it’s a good idea to use a logging facade like SLF4J or jboss-logging. However, using log4j loggers is safe. It’s configuring appenders that exposes the CVE’s. – James R. Perkins Feb 10 '22 at 13:53