Subject: perfSONAR Announcements
[perfsonar-announce] Statement on the Log4j RCE Vulnerability
- From: Mark Feit <>
- To: "" <>, "" <>
- Subject: [perfsonar-announce] Statement on the Log4j RCE Vulnerability
- Date: Mon, 13 Dec 2021 22:49:20 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IU80mprb0r/5mbjGd6UujqbUSFcl8t0aVVrPXdjPvZY=; b=GN1bIZRdSPoVBKQGIM13Qh+oXVOKZEBKeoN6X1O+EiGW2ku+3lZ3qoGJiE8aecsbi9jm/7qfOGAvzL3k8i6mGZRoGygeHLzwOFwl4KV84kSXLCkmaWJTnGOc0CGgti2XEHhGk3fsS9WKdhcsNFLibOplvlZe3BaY3cF4POGEOJ/TBrtjjpyBFYcQBgfKjpIxV/4uCdd8gNrS1GIgvX/2GUSYKmyCbjIP99di4rXDzw+fh/vC75ub8MnZ5Y4+jomzF91YO0zVSD64MAEIefm9zZoMnOPYIk7hzylCTyRcAWsOfNlG0AzJ3XA+aNE+v00PKvHnsx6wlHDHcuBhNX95Og==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X93CnvVcfhmDZ7YZ9uLlrWxTBNK6D7DMa3ZJ6UYO0ab7TNAKAoOCm8UCGfIYRGqTmIygeF0er65XIvgok/oEJfL7kL1o91K1GgUFWjBSBEjpilZvClZ4OffXsAy/yb5bnrky7NItqkcAWtKdoYYPWmfAILXZJALApfG6Dshvm0Ra8ogUf1OiM1yjLlcCkMJsXX9mBdTuEQLRzRQgdpVe/1L3NGkPjiE1eM8rvSEstWX1bb2W731UXUGiuJkfT5bDx1Q9+yVj+4LVB3IJWDmBdYEm0rkebVEFqQB5AOZU4kseVqvBh2p3sUQTWXyRKF9SXBDsGmUaRLPGa3TNUWxVOA==
As many are aware by now, a severe remote code execution vulnerability in Log4j  was announced late last week. As it is causing quite a stir, we’ve done a more-complete audit of where it’s used in perfSONAR and thought it would be worth making a formal announcement as a follow-up to the thread on the perfsonar-users mailing list. 
The use of Log4j in perfSONAR is confined to Cassandra (used by Esmond), MaDDash and the Lookup Service.
Cassandra uses Log4j 1.x, which does not have this vulnerability. With the replacement of Esmond in perfSONAR 5.0, Cassandra will no longer be required and will no longer be installed.
MaDDash uses Log4j 1.x, which does not have this vulnerability. We are aware that Log4j 1.x has its own set of pitfalls and will upgrade it to a current, patched version in the 5.0 release or migrate to some other library. We have identified a single instance where data provided by a client is directly logged as debug. This data will not be logged if MaDDash is left in its default configuration.
The Lookup Service uses Log4j and is vulnerable. The global lookup service operated by the perfSONAR project has been patched to disable lookups in the service itself and the ElasticSearch  server. Sites running private lookup servers should take the steps described at https://github.com/esnet/simple-lookup-service/wiki/Apache-log4j-Remote-Code-Execution-vulnerability to reconfigure the software so it is no longer vulnerable.
Please drop us a line if you have questions or comments.
- [perfsonar-announce] Statement on the Log4j RCE Vulnerability, Mark Feit, 12/13/2021
- Re: [perfsonar-announce] [perfsonar-user] Statement on the Log4j RCE Vulnerability, Steven G. Huter, 12/13/2021
Archive powered by MHonArc 2.6.24.