Log4j Security Advisory #202111
The purpose of this advisory is to provide information on whether ForgeRock products (Identity Cloud, AM, DS, IDM, IG, Agents and Autonomous Identity) are vulnerable to recent Log4j 2 vulnerabilities: RCE (Remote Code Execution) CVE-2021-44228, DoS (Denial of Service) CVE-2021-45046, DoS CVE-2021-45105 and ACE (Arbitrary Code Execution) CVE-2021-44832. These vulnerabilities allow an attacker to remotely execute code in certain circumstances.
December 10, 2021
A number of vulnerabilities have recently been discovered that impact multiple versions of the Apache Log4j 2 utility:
| Vulnerability | Severity Rating | CVSS Score | Affected Versions | Fixed Version | Other Information |
|---|---|---|---|---|---|
| CVE-2021-44228 | Critical | 10 | 2.0 to 2.14.1 | 2.15.0 | Disclosed publicly via the project’s GitHub on December 9, 2021 |
| CVE-2021-45046 | Critical | 9 | 2.0 to 2.15.0 (excluding 2.12.2) | 2.16.0 | |
| CVE-2021-45105 | High | 7.5 | 2.0 to 2.16.0 | 2.17.0 | |
| CVE-2021-44832 | Medium | 6.6 | 2.0 to 2.17.0 (excluding 2.3.2 and 2.12.4) | 2.17.1 | |
| CVE-2019-17571 | Critical | 9.8 | 1.2 to 1.2.17 | Included with Apache Spark and Apache Livy | |
| CVE-2021-4104 | High | 7.5 | 1.2 | Included with Apache Spark and Apache Livy |
Customers should check the CVEs for the latest vulnerable versions.
Note
New releases of Autonomous Identity that include Log4j 2.17 have been made available on December 22nd, 2021.
The only ForgeRock product that utilizes Log4j is Autonomous Identity, which now has patched releases that remedy the three Critical and High vulnerabilities. None of the other currently supported ForgeRock products, including Identity Cloud, AM, DS, IDM, IG and Agents, are affected by these vulnerabilities. ForgeRock continues to actively investigate any other possible uses of this library but none are known at this time.
The SecurID authentication module uses the Log4j library (which is supplied by RSA but no longer supported). You should not use this module unless RSA provides a fixed version of this library. See RSA Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228) for the latest information from RSA.
Customers are responsible for checking for any use of Log4j in their servlet/application container and any custom code (including Marketplace contributions) that they have deployed.
ForgeRock products
All currently supported versions of the ForgeRock Identity Platform (AM, DS, IDM, IG & AM Agents) are not vulnerable to Log4j as ForgeRock does not ship with this library. Review Ping Identity Product Support Lifecycle Policy | PingAM, PingDS, PingIDM and IGA for details of currently supported versions.
Older, end of life, versions of the ForgeRock Identity Platform could be vulnerable. However, due to the age and lack of vendor support for libraries, they cannot be patched to ensure they are no longer vulnerable to the Log4j attacks.
| Product | Supported Versions | Vulnerable | Details |
|---|---|---|---|
| Autonomous Identity | 2020.10, 2021.3, 2021.8 | Yes |
The newest releases address the following vulnerabilities: CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 Release Notes: Downloads:
Autonomous Identity does not use a JDBC appender for logging, which means it is not affected by CVE-2021-44832. NOTE: There are some additional vulnerabilities that have been discovered in Log4j (version 1) that are not patched in the above releases. Please see the section Log4j version 1 below for remediation instructions. |
| AM | 6.x, 7.x | No | N/A |
| DS | 6.x, 7.x | No | N/A |
| IDM | 6.x, 7.x | No | N/A |
| IG | 6.x, 7.x | No | N/A |
| Agents | 5.x | No | N/A |
Recommendations
Autonomous Identity customers should update to the latest patch release (see release notes in the table above).
For standard installations of the ForgeRock Identity Platform (AM, DS, IDM, IG and Agents), you should check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used. The servlet/application container you install for deploying AM needs to be checked to make sure it is not vulnerable. The default recommended container of Apache Tomcat is not vulnerable as it does not use Log4j.
For custom installations of the ForgeRock Identity Platform that include components that utilize either log4j or log4j-api libraries, you should:
- Contact the component vendor for additional information.
- Check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used.
- Follow the advice from Apache by upgrading your Log4j version(s) to 2.17.1 or later, or by implementing one of their mitigations as outlined here: Apache Log4j Security Vulnerabilities.
For older ForgeRock products that are no longer supported, we strongly recommend you upgrade to a newer, supported version.
Log4j version 1
The main vulnerabilities of concern do not apply to Log4j 1 versions. However, Autonomous Identity contains some third-party libraries that include Log4j version 1. Those libraries are Apache Spark 3.2 and Apache Livy and will not be updated by Apache. The vulnerable libraries can be modified by removing the vulnerable classes.
Follow these steps to remove the vulnerable classes from the Apache libraries:
- Ensure no analytics are running.
-
Stop Apache Spark:
- Find the process id ps aux | grep spark
- Kill the processsudo kill pid1
Repeat on all the Apache Spark nodes.
- Stop Apache Livy: /opt/autoid/apache-livy/apache-livy-0.8.0-incubating-SNAPSHOT-bin/bin/livy-server stop
- Run the following commands to remove the problematic classes from the jars: zip -d /opt/autoid/spark/spark-3.0.1-bin-hadoop2.7/jars/log4j-1.2.17.jar org/apache/log4j/net/SocketServer.class zip -d /opt/autoid/spark/spark-3.0.1-bin-hadoop2.7/jars/log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class zip -d /opt/autoid/apache-livy/apache-livy-0.8.0-incubating-SNAPSHOT-bin/jars/log4j-1.2.16.jar org/apache/log4j/net/SocketServer.class zip -d /opt/autoid/apache-livy/apache-livy-0.8.0-incubating-SNAPSHOT-bin/jars/log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class Repeat on all the Apache Spark nodes.
- Start Apache Spark:
- On Master node: /opt/autoid/spark/spark-3.0.1-bin-hadoop2.7/sbin/start-master.sh -i {{ spark_master_ip }}
- On Worker nodes: /opt/autoid/spark/spark-3.0.1-bin-hadoop2.7/sbin/start-slave.sh {{ spark_master_ip }}:7077
- Start Apache Livy:/opt/autoid/apache-livy/apache-livy-0.8.0-incubating-SNAPSHOT-bin/bin/livy-server start
The libraries implemented inside Autonomous Identity are not vulnerable.
See Also
Apache Log4j Security Vulnerabilities
Apache Log4j RCE – Variants and Updates
Change Log
The following table tracks changes to the advisory:
| Date | Description |
|---|---|
| April 18, 2023 | Updated tags to improve search |
| August 18, 2022 | Added instructions to remove vulnerable classes from log4j version 1 |
| January 5, 2022 | Updated to clarify that CVE-2021-44832 does not affect Autonomous Identity |
| January 4, 2022 | Updated to note new vulnerability (CVE-2021-44832) and advice to upgrade to Log4j version 2.17.1 |
| December 22, 2021 | Added new fixed versions to address CVE-2021-45105 & CVE-2021-45046 for Autonomous Identity; added section for Log4j1 to clarify its status |
| December 20, 2021 | Updated to note new vulnerability (CVE-2021-45105) and advice to upgrade to Log4j version 2.17.0 |
| December 16, 2021 | Add fixed versions and release notes for Autonomous Identity |
| December 15, 2021 | Updated to note new vulnerability (CVE-2021-45046) and advice to upgrade to Log4j version 2.16.0 |
| December 14, 2021 | Updated to provide clarity around supported versions and added recommendation for older unsupported versions |
| December 13, 2021 | Updated to note the SecurID authentication module and its use of the Log4j library; updated the Recommendations section to be more specific |
| December 10, 2021 | Initial release |