Page Comparison

Remote Code Execution in Log4j [CVE-2021-44228]

Testing has revealed scenarios in which uControl software is vulnerable to the log4j vulnerability. The remediation steps below should be implemented as soon as possible.

Vulnerability details

From the official CVE:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP Servers when message lookup substitution is enabled.

Remediation: update your configuration

Administrators should deploy the configuration changes suggested in the GitHub advisory on the log4j project. This advice is to disable the format message lookups that, when issued, will execute any code found within the messages. This is easy to perform but will require a restart of the uControl service.

Performing this configuration change has no impact on the functionality of uControl, and we highly recommend our customers make this change as an immediate form of protection.

The configuration is issued via JAVA_OPTS when starting uControl. This change can be added to either your <uControlInstall>/tomcat8/bin/catalina.sh file:

JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"