Security issue: On December 10, 2021, a vulnerability with critical severity in Log4j has been identified that can lead to remote code execution.
Affected packages:
- org.apache.logging.log4j:log4j-api <2.15.0
- org.apache.logging.log4j:log4j-core <2.15.0
CVE: CVE-2021-44228
Update December 20th, 2021
We have made available appropriate updates for both on-premises versions that replace the mitigation steps previously published below.
Please follow the steps below to ensure the security of your DRACOON environment:
1. DRACOON Server
For DRACOON Server, the versions have been added to the repository.
Therefore, an update must be performed via yum update.
2. DRACOON 2019-1 LTS.
For the 2019-1 LTS version, we have corresponding new versions for
- DRACOON WebDAV
- DRACOON OAuth Service
- DRACOON Core Service
published.
Please follow the instructions provided:
Update December 15th, 2021
Further analysis has identified that a component of the DRACOON version LTS 2019-1, namely the DRACOON WebDAV proxy, actively uses log4j and therefore is vulnerable to CVE-2021-4428.
This means that the steps mentioned below are mandatory and need to be followed to ensure the security of your instance.
This applies to version LTS 2019-1 only (DRACOON Core 4.12.x, DRACOON for WebDAV 5.2.2).
Impact
Our internal research has found that this vulnerability does not affect any of DRACOON's cloud products. Instead of Log4j, DRACOON uses a substitute project called Logback.
The same is true for both DRACOON Cloud and DRACOON Server.
Mitigation
As a proactive measure, all services of our DRACOON Cloud have been updated according to the mitigations provided by RedHat: CVE-2021-44228
It is strongly recommended for DRACOON customers who manage their own DRACOON Server instances to follow a similar step.
Instructions for on-premises customers
- DRACOON Server
- In the directory /etc/dracoon, an entry in all .env files (excluding database-backup.env) -Dlog4j2.formatMsgNoLookups=true for the variable JAVA_OPTIONS needs to be added, so that the content looks like this:
JAVA_OPTIONS="-Dlog4j2.formatMsgNoLookups=true -Xmx1G ..."
- All DRACOON services need to be restarted – alternatively you can reboot the VM:
- dracoon-admin-service.service
- dracoon-branding-service.service
- dracoon-branding-web-app.service
- dracoon-core-service.service
- dracoon-mail-notification-dispatcher.service
- dracoon-message-sender-worker.service
- dracoon-oauth-service.service
- dracoon-s3-cmur-worker.service
- dracoon-web-app.service
- dracoon-webdav-proxy.service
- dracoon-webhook-dispatcher.service
- dracoon-webhook-worker.service
- In the directory /etc/dracoon, an entry in all .env files (excluding database-backup.env) -Dlog4j2.formatMsgNoLookups=true for the variable JAVA_OPTIONS needs to be added, so that the content looks like this:
- DRACOON 2019-1 LTS (no docker - Spring Boot)
- The entry -Dlog4j2.formatMsgNoLookups=true needs to be added to /etc/tomcat/tomcat.conf:
-
#Additional java options
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true ..."
-
- The following -Dlog4j2.formatMsgNoLookups=true entry needs to be set for the following systemd files:
- /usr/lib/systemd/system/dracoon-branding.service
- /usr/lib/systemd/system/dracoon-branding-ui.service
- /usr/lib/systemd/system/dracoon-core.service
- /usr/lib/systemd/system/dracoon-oauth.service
- /usr/lib/systemd/system/dracoon-webdav.service
-
...
ExecStart=/usr/bin/java -Dlog4j2.formatMsgNoLookups=true -Xmx1024M ...
...
- The systemd files need to be loaded via
systemctl daemon-reload
- The DRACOON services, the tomcat or the VM need to be restarted
- The entry -Dlog4j2.formatMsgNoLookups=true needs to be added to /etc/tomcat/tomcat.conf:
- DRACOON 2019-1 LTS (docker)
- In the file /usr/share/dracoon/.env, the entry -Dlog4j2.formatMsgNoLookups=true is set for the following variables:
-
DRACOON_CORE_JAVA_OPTS=-Xmx2048M -Dlog4j2.formatMsgNoLookups=true
DRACOON_WEBUI_JAVA_OPTS=-Xmx1024M -Dlog4j2.formatMsgNoLookups=true
DRACOON_WEBDAV_JAVA_OPTS=-Xmx1024M -Dlog4j2.formatMsgNoLookups=true
DRACOON_OAUTH_JAVA_OPTS=-Xmx1024M -Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true
DRACOON_INSTABRAND_SERVICE_JAVA_OPTS=-Xmx1024M -Dlog4j2.formatMsgNoLookups=true
DRACOON_INSTABRAND_UI_JAVA_OPTS=-Xmx1024M -Dlog4j2.formatMsgNoLookups=true
- Afterward, the containers need to be restarted within the folder with the new .env file via
docker-compose up -d
-
- In the file /usr/share/dracoon/.env, the entry -Dlog4j2.formatMsgNoLookups=true is set for the following variables:
Resolution
For DRACOON Cloud customers, no action is necessary as DRACOON has taken according measures. For DRACOON Server customers, please refer to the mitigation steps above based on your deployed version.
Comments
0 comments
Please sign in to leave a comment.