Is Plesk affected by CVE-2021-44228 vulnerability in log4j package of Apache?

Follow

Comments

4 comments

  • Avatar
    Michael Lang

    Hey, 

    I just fired a "find" command to see if theres anything left with log4j on the server. I found some log4j entries in the microupdates folder (./parallels/PSA_17.8.11/microupdates/MU70/dist-deb-Ubuntu-16.04-x86_64/pmm-ras).

    Is there any todo here for me or can this be ignored?

    Thanks in advance!
    Michael

     

    2
    Comment actions Permalink
  • Avatar
    Lenusch

    Same Question as Michael 

    1
    Comment actions Permalink
  • Avatar
    Ehud Ziegelman

    Hi,

     

    Solutions seems to be published here:

    https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/

    Where two ModSecurity changes should do the job:

     

    # Defense against CVE-2021-44228 
    SecRuleUpdateTargetById 932130 "REQUEST_HEADERS"

     

    # Generic rule against CVE-2021-44228 (Log4j / Log4Shell)
    # See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/
    SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML://*|XML://@* "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
        "id:1005,\
        phase:2,\
        block,\
        t:none,t:urlDecodeUni,t:cmdline,\
        log,\
        msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \
        tag:'application-multi',\
        tag:'language-java',\
        tag:'platform-multi',\
        tag:'attack-rce',\
        tag:'OWASP_CRS',\
        tag:'capec/1000/152/137/6',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/1',\
        ver:'OWASP_CRS/3.4.0-dev',\
        severity:'CRITICAL',\
        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
    0
    Comment actions Permalink
  • Avatar
    Vitaly Zhidkov

    Michael Lang, Lenusch thank you for this question.

    You may safely ignore it. pmm-ras does not use Java. It uses log4cpp library which is compatible with log4j, but it is not affected by this vulnerability.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request