Apache Log4j vulnerability variant [CVE-2021-44228]

This is probably a no brainer, but is the Solarwinds Orion 2020.2.6 HF1 version impacted at all by the new log4j vulnerability variant?  My guess is probably not, being that it needs JAVA to manifest itself, and I don't believe Solarwinds Orion utilizes any JAVA components with the latest software versions.  But my management wanted me to check with you folks.  So please advise and confirm?  Thank you!

  • I found log4j jar files in <orion>\APM\jmxbridge, and DPA uses it as well.

    I tried manually replacing the jar files under jmxbridge, and now it won't start, but that's on me

  • As did I (including editing the jsl.ini to use 2.15. No joy on restarting the service. My guess is the jsl.exe has max version number in it.

  • The same question.
    Especially after that discovery:

    I found log4j jar files in <orion>\APM\jmxbridge, and DPA uses it as well.

    IMO after the Sunburst incident Solarwinds must react more quickly. As I see there are no confirmation/refuse from SW yet.

  • So believe that we can modify some configuration file 

    Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

    Assuming it is the log4j2.xml in the DPA path but not 100% sure if that is the case, has anyone tried this yet?

  • My leader is very concerned about the situation of DPA affected by this, but there is still no official response so far

  • Given the number of impacted systems overall, we are mitigating the issue at the firewall level.  Palo Alto released a fix that appears to be blocking the attacks so far.

  • according to https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#find-vulnerable-software-windowsgci
    run this in powershell to find potentially affected files.

    gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

    depending on what solarwinds modules you are licenced for, this might be an example result
    C:\Program Files (x86)\SolarWinds\Orion\APM\jmxbridge\lib\log4j_core_2.14.0.jar

    In the absence of any official statement from Solarwinds,
    The question I have is, Is it possible this jar file gets loaded when the service named
    "SolarWinds JMX Bridge Service"
    usually installed at
    "C:\Program Files (x86)\SolarWinds\Orion\APM\jmxbridge\jsl\jsl64.exe"
    is running?

    I went to
    C:\Program Files (x86)\SolarWinds\Orion\APM\jmxbridge\jsl\jsl64.ini

    and found the .jar file (Highlighted in bold) referenced in the ini file under this section.

    ;Jboss 7.4
    param02 = %APM_HOME%\jmxbridge\SolarWinds.JMX.Bridge.jar;%APM_HOME%\jmxbridge\lib\log4j_1.2_api_2.14.0.jar;%APM_HOME%\jmxbridge\lib\log4j_api_2.14.0.jar;%APM_HOME%\jmxbridge\lib\log4j_core_2.14.0.jar;%APM_HOME%\jmxbridge\lib\wlclient.jar;%APM_HOME%\jmxbridge\lib\wljmxclient.jar;%APM_HOME%\jmxbridge\lib\javax.xml.soap-api.jar;%APM_HOME%\jmxbridge\lib\jaxb-api.jar;%APM_HOME%\jmxbridge\lib\jaxws-api.jar;%APM_HOME%\jmxbridge\lib\jsr181-api.jar.jar;%APM_HOME%\jmxbridge\lib\gmbal-api-only.jar;%APM_HOME%\jmxbridge\lib\ha-api.jar;%APM_HOME%\jmxbridge\lib\javax.activation-api.jar;%APM_HOME%\jmxbridge\lib\axb-core.jar;%APM_HOME%\jmxbridge\lib\jaxb-impl.jar;%APM_HOME%\jmxbridge\lib\jaxws-rt.jar;%APM_HOME%\jmxbridge\lib\management-api.jar;%APM_HOME%\jmxbridge\lib\mimepull.jar;%APM_HOME%\jmxbridge\lib\policy.jar;%APM_HOME%\jmxbridge\lib\saaj-impl.jar;%APM_HOME%\jmxbridge\lib\stax-ex.jar;%APM_HOME%\jmxbridge\lib\streambuffer.jar;%APM_HOME%\jmxbridge\lib\javax.annotation-api.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.4\jboss-cli-client.jar

  • It is confirmed that the Orion Platform core is not affected and does not utilize Apache Log4j.  If none of the mentioned modules are installed, it can confirm that you are not affected by the vulnerability 

    SolarWinds products utilizeApache Log4jin their codebase:
    -Server & Application Monitor (SAM)
    -Database Performance Analyzer (DPA)

  • Thanks Jeff, and to all who posted here!  Our particular environment doesn't have the DPA module but does have SAM.  Being that the Solarwinds security advisory that came out this weekend in this regard mentions that although SAM utilizes the vulnerable Log4j library, it uses the JDK version 16 which is not known at this time to be susceptible to the Log4j vulnerability, then we'll most likely hold off and wait for the new hotfix to come out that addresses this issue.  Thank you once again for your posts and information provided!