Cybersecurity
DevOps Cloud
IT Operations Cloud
Open Enterprise Server 2023+ (OES 2023+)
CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
NURM is not vulnerable to these CVEs, since it uses reload4j. NURM uses /opt/novell/storm/webframework/webapps/storm/WEB-INF/lib/log4j-1.2.17.jar, which is actually reload4j even though the filename is log4j. The novell-nurm-web rpm copies this file from /usr/share/java/log4j12/log4j-1.2.17.jar in the post install script:
# rpm -q novell-nurm-web --scripts postinstall scriptlet (using /bin/sh): ... STORM_LIB="/var/opt/novell/tomcat/webapps/storm/WEB-INF/lib" ... if [ -f /usr/share/java/log4j12/log4j-1.2.17.jar ] then cp /usr/share/java/log4j12/log4j-1.2.17.jar $STORM_LIB/ fi ...
/usr/share/java/log4j12/log4j-1.2.17.jar is installed by the reload4j rpm and is a link to reload4j.jar:
# ll /usr/share/java/log4j12/log4j-1.2.17.jar lrwxrwxrwx 1 root root 24 Feb 25 2023 /usr/share/java/log4j12/log4j-1.2.17.jar -> ../reload4j/reload4j.jar
So, NURM is using reload4j, which is not vulnerable to these CVEs.