Log4j Vuln

[ertugrulturan]

Log4j 1.2 to 1.2.17

https://logging.apache.org/log4j/1.x/ <- eol + vulned version

[TommyTran732]

@h-mdm Any chance you can take a look at https://reload4j.qos.ch/?

It should be a drop in replacement for log4j 1.2.17, so you don't need to update the code base. The vuln is quite dangerous so it would be great to just have this as a quick fix for now.

[h-mdm]

I have implemented an exploit of CVE-2021-44228 mentioned in https://www.lunasec.io/docs/blog/log4j-zero-day/, and it didn't work. The line ${jndi:ldap://127.0.0.1/a} is logged as it is, no attempt to remote access by JNDI is done. So I believe the vulnerability CVE-2021-44228 is not applicable for Headwind MDM (probably because only text loggers are used).

[TommyTran732]

I still think it is pretty bad to keep using this old version though. It is not the only known CVE for it. I don't see any harm in at bumping to reload4j. The MDM is security critical so I'd prefer if theres no known vulnerable dependencies.

[TommyTran732]

I'd like to add that I scanned the dependences and there are a lot of known vulnerabilities as well. Some are several years old. The log4j is just the most iffy one.

[h-mdm]

Thank you for the info, will work on that.