13 December 2021
Last Friday, our OWASP-scan alerted us to a vulnerability in Log4J, a commonly used open-source library for java applications. https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Delft-FEWS indeed uses log4J for logging but in the CURRENT Delft-FEWS code the call to the suspicious log4J method is NOT used and the Delft-FEWS code has implemented its own - non configurable version - of this method. The option to use this suspicious method is therefore NOT possible. The Delft-FEWS code even prevents this. In addition, all supported Delft-FEWS versions also use a higher java-version than the one mentioned in the news.
This means that all supported Delft-FEWS versions from 2018.02 and up are NOT directly affected by the vulnerability in Log4J.
We realize that this security issue leads to general concerns. From a Delft-FEWS perspective there is no immediate threat, but we will highlight the no-regret measures that you can implement on the short term. Furthermore, we will share our follow-up plans for upgrading to a higher version of Log4J.
Delft-FEWS Product Management13th of December 2021
More technical detailsDelft-FEWS and its components are using Log4j 2.11.1. This is true for the Operator Client, Forecasting Shell Server, Master Controller, Delft-FEWS Webservices, Admin Interface, Database proxy, Open Archive (including Elastic Search). As mentioned, the suspicious method call is replaced in the Delft-FEWS code with our own implementation. The method called 'PatternLayout' is the problem in Log4j and our code uses its own implementation called 'FastLayout' preventing the malicious JNDI lookup from being used.
Java option/version aspectsAccording to Apache’s guidance, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
This setting can be implemented straight away and can be applied to the following components
Operator Client and FSS : Add to the clientConfig.xml: <jvmOption>-Dlog4j2.formatMsgNoLookups=true</jvmOption>More information for OC and FSS
Master Controller: Add to the mcConfig.xml: <jvmOption>-Dlog4j2.formatMsgNoLookups=true</jvmOption>More information for the MC
For all tomcat based web applications:add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true.
Admin Interface: add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
FewsWebServices: add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
DatabaseProxy: add to the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
ArchiveServer: add to the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=trueMore information for Tomcat based applications
Open Archive (including Elastic Search)In the start-up scripts (bin/elastic or bin/elastic.bat) of the Archive Server this -D option can be added.
For Elastic itself (the Open Archive catalogue), the hack is not applicable. See https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476. But they announced a new version. As soon as this is available, Deltares will provide a new package
Log4j Upgrade to 2.15: New basebuilds will be made available
A Log4J upgrade available and is necessary to prevent secruity/vulnerability-scanning tools to produce false alarms (for Delft-FEWS). This 2.15 version needs to be 'packed and distributed' with all other java code of Delft-FEWS.
In the development version of Delft-FEWS (leading to 2022.01) we have replaced the Log4j 2.11.1 and upgraded it to the latest version (2.15). The same is true for Delft-FEWS 2021.02 which is about to be released.
For all other supported Delft-FEWS versions (2019.02 and higher) Deltares will provide a new base-build (+patch) in the next few days. This new base-build will contain Log4J version 2.15. If you are running an older version, please contact the Delft-FEWS helpdesk at email@example.com.
With the new base build and patch installed the scanning tools will not be flagging Log4j anymore.
If you/your organisation would like to receive the updated base-build/patch of your version, let us know! Please, send an e-mail to firstname.lastname@example.org
If you have any other question concerning the above, do not hesitate to contact us.
Delft-FEWS Product Manager Developments