Wikis - Page

Knowledge Document: log4j vulnerabilities related to OES User Rights Map (NURM)

0 Likes

Environment

Open Enterprise Server 2023+ (OES 2023+)
 

Summary

CVE-2021-4104:  JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
CVE-2019-17571:  Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
 

Resolution

NURM is not vulnerable to these CVEs, since it uses reload4j.  NURM uses /opt/novell/storm/webframework/webapps/storm/WEB-INF/lib/log4j-1.2.17.jar, which is actually reload4j even though the filename is log4j.  The novell-nurm-web rpm copies this file from /usr/share/java/log4j12/log4j-1.2.17.jar in the post install script:

# rpm -q novell-nurm-web --scripts
postinstall scriptlet (using /bin/sh):
...
STORM_LIB="/var/opt/novell/tomcat/webapps/storm/WEB-INF/lib"
...
if [ -f /usr/share/java/log4j12/log4j-1.2.17.jar ]
then
cp /usr/share/java/log4j12/log4j-1.2.17.jar $STORM_LIB/
fi
...

/usr/share/java/log4j12/log4j-1.2.17.jar is installed by the reload4j rpm and is a link to reload4j.jar:

# ll /usr/share/java/log4j12/log4j-1.2.17.jar
lrwxrwxrwx 1 root root 24 Feb 25  2023 /usr/share/java/log4j12/log4j-1.2.17.jar -> ../reload4j/reload4j.jar

So, NURM is using reload4j, which is not vulnerable to these CVEs.

Access article on support portal

Labels:

Support Tips/Knowledge Docss/Knowledge Docs
Support Tips/Knowledge Docs
Comment List
Related
Recommended