Is Cmap Tools affected by the Log4J security vulnerabilities?

Having problems with IHMC CmapTools? Think you have found a bug? Let us know!
Forum rules
Before you post a problem or bug, please be sure you have included the version number of IHMC CmapTools, the operating system and version, the amount of RAM, and any other information that allows us to be able to replicate the problem you are having. (i.e. what were you doing when the problem occur? were you running another program (application) by the time you have the problem?)
ClaudeP
Posts: 3
Joined: Mon Dec 13, 2021 10:26 am

Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by ClaudeP »

Hello,

My question concerns the security vulnerabilities discovered in the Apache Log4j library. I notice the presence of the log4j-1.2.12.jar file in the Classes folder of the Cmap Tools application.

https://thehackernews.com/2021/12/extre ... ility.html

Do I have to be worried? Is an analysis underway regarding the potential risks associated with this library?

Thank you!
cmapadmin
Site Admin
Posts: 797
Joined: Sat Dec 13, 2008 2:22 pm

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by cmapadmin »

We are looking into it.
cmapadmin
Site Admin
Posts: 797
Joined: Sat Dec 13, 2008 2:22 pm

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by cmapadmin »

Reports are that versions affected are Log4j 2.0-beta9 up to 2.14.1. Would be a case where it was good that we haven't updated the version in the CmapTools installs.
ClaudeP
Posts: 3
Joined: Mon Dec 13, 2021 10:26 am

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by ClaudeP »

Thank you very much for doing this verification. I feel reassured.

Have a good day.
ClaudeP
Posts: 3
Joined: Mon Dec 13, 2021 10:26 am

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by ClaudeP »

Hello,

After checking, we decided to remove the Cmap Tools application from all workstations in our school board (more than 10,000 computers).

Log4 version 1.x is end of life since 2015. There are already identified and unpatched vulnerabilities. Nothing says that this version has been analyzed for the new security vulnerability CVE-2021-44228.

https://logging.apache.org/log4j/2.x/security.html
https://logging.apache.org/log4j/1.2/

I will continue to follow your forum hoping that we will eventually have an update of Cmap Tools no longer using this version of Log4j.

Thanks you for your support.

Have a good day.
cmapadmin
Site Admin
Posts: 797
Joined: Sat Dec 13, 2008 2:22 pm

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by cmapadmin »

Fine. We are looking into it. Doesn't seem to be an issue, but will look into updating Log4.
cmapadmin
Site Admin
Posts: 797
Joined: Sat Dec 13, 2008 2:22 pm

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by cmapadmin »

It has been verified that log4j 1.x is not affected by any known CVEs, including the new one.

log4j 1.x only has one known vulnerability (https://www.cvedetails.com/cve/CVE-2019-17571/) but we are not using the SocketServer to listen to network traffic for logging, so it does not affect us.
cvedetails.com
CVE-2019-17571 : Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be explo
CVE-2019-17571 : Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

We are looking into updating the version of log4j but it might involve changes in the API that will require some effort. For now we feel sure that there is no issue with CmapTools. We'll keep you posted.
cmapadmin
Site Admin
Posts: 797
Joined: Sat Dec 13, 2008 2:22 pm

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by cmapadmin »

Furthermore, the CmapTools client in general is not directly vulnerable to any of these types of remote-exploit CVEs, because it is not a server (e.g. it's not listening for network input). The CmapServer could be affected, but in this case it is not.
HaraldR
Posts: 3
Joined: Tue Dec 14, 2021 9:20 am

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by HaraldR »

Hello,

we only use IHMC CmapTools as a pure client application.

IHMC CmapTools: 6.04 - Windows
Preferences:
Autosave: Save Cmaps Every 1 minute(s)
Cloud Account: Cloud Account is not used.
Places & Servers: Internet Host Name = *.ihmc.us Port 8080 or 80 + WebServerPort = 443
Directories of Places: Internet Host Name = dop.ihmc.us: activated = true / Port = 80 / Web Server Port = 8001
Discussion Threads = Keep my user ID anonymous = false
Proxy Configuration = do not use proxy server = true

1.
The Menü "Cmaps in the cloud" is as it is by your provided installation package.

2.
That means from our point of view, that it would be possible to provide harmuful code to our client(s), if your cloud server was compromised and the attacker uses the log4j attacker method to infect the client installation.

3.
Unlike in many log4j problem description web pages, v 1.2.x may also be compromised using the JMSAppender class.
This class can be deleted from a JAR file with e.g. this scriptlet without disadvantage for the neccessary functionality:
for i in `find . -name "log 4 j-1.2.17.jar"`; do zip -q -d $i org/apache/log 4 j/net/JMSAppender.class; done

4.
Our Question: Is it correct, that code can be excuted on the client by using a compromised cloud connection in the described way?

5.
And if so, how can we alter the installation package in order to avoid this vulnerability?

Kind regards,

Harald
cmapadmin
Site Admin
Posts: 797
Joined: Sat Dec 13, 2008 2:22 pm

Re: Is Cmap Tools affected by the Log4J security vulnerabilities?

Post by cmapadmin »

The JMSAppender is not enabled in CmapTools or CmapServer, so neither applications are vulnerable out of the box.

If you're concerned that someone will maliciously enable it by hacking the startup script (e.g. they must have already gained access to the machine), it should not cause any problem to delete the JMSAppender.class from the jar as you suggest.
Post Reply