log4j-1.2.8.jar

I have installed just the client software, WatchGuard System Manager, on my Windows 10 PC. It has copied

C:\Program Files (x86)\Common Files\WatchGuard\wsm11\lib\log4j-1.2.8.jar

According to

https://github.com/Chiencc/TEST/issues/56

it is vulnerable.

Is there a patched version coming soon? How can I mitigate the risk for the meantime?

Best Answer

  • https://nvd.nist.gov/vuln/detail/CVE-2021-4104

    says that the vuln is in JMSAppender in Log4j 1.2, and does not suggest that log4j-1.2.8 has the vuln.
    Lower down there is the list of affected versions:
    Matching CPE(s)

    cpe:2.3:a:apache:log4j:1.2:-:*:*:*:*:*:*
    cpe:2.3:a:apache:log4j:1.2:beta4:*:*:*:*:*:*
    cpe:2.3:a:apache:log4j:1.2:rc1:*:*:*:*:*:*
    

    Which says to me that none above 1.2 are vulnerable.

    Also see this note:
    "Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default."

Answers

  • From this article:
    "The version of log4j used in WSM (and each Firebox appliance) is lower than the version affected by CVE-2021-44228 and is not vulnerable to this exploit."

    Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228)
    https://techsearch.watchguard.com/KB?type=Security Issues&SFDCID=kA16S000000SNnuSAG&lang=en_US

  • Thank you for your comment. I understand log4j-1.2.8.jar is not affected by the vulnerability in CVE-2021-44228. What I am concerned is about CVE-2021-4104 which talks about the vulnerability in Log4j 1.x
    Is WSM affected?

  • I appreciate for the update. I freaked out when our security software flagged the computer with WSM as the system with a vulnerable file.

  • edited December 2021

    According to Nessus Pro, log4j-1.2.8.jar is unsupported so it does not receive security patches. But it does not suggest it is vulnerable the latest CVEs. Even though there is no indication it is vulnerable to these specific threats, Nessus Pro has given it a Critical severity. I hope WatchGuard has plans to remove and use a new version of this logj4 jar in future releases.

  • Corey_N_SecAdeptCorey_N_SecAdept WatchGuard Representative

    Our official response to this is in our Knowledge Base article on the Log4j issues. See update 2. In short, yes, our version is affected by the CVE, but it's not exploitable for the reasons you will read. Also, I hope no one puts their WSM computer on the internet. It's not a server, so you shouldn't be exposing it on the Internet anyway, making this not remotely exploitable even if we did have it configured in the exploitable way:

    https://techsearch.watchguard.com/KB?type=Security Issues&SFDCID=kA16S000000SNnuSAG&lang=en_US

    Update 2 – Researchers recently discovered and disclosed CVE-2021-4104, a remote code execution vulnerability in the older Log4j 1.2 release. This vulnerability requires a non-default configuration with the JMSAppender module enabled. While WatchGuard System Manager uses a vulnerable version of Log4j 1.2, it does not use the JMSAppender module and is not vulnerable to this exploit. WatchGuard does not use Log4j 1.2 in any other product or service.

  • @Corey_N_SecAdept it looks like that link is no longer accessible ("Error: Login is required to access this URL."), but there is a public KB article with the same info at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2021-00003

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @AndrewJ

    We move items around our website to make them easier to find from time to time. The article you found has the same information.

    I'll ask Corey to update his post, but for the time being, the PSIRT link is the correct one.
    https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2021-00003

    -James Carson
    WatchGuard Customer Support

Sign In to comment.