Уязвимость в Log4j

[Nek 26]

Здравствуйте, всем кому небезразлична информационная безопасность, ознакомьтесь с темой:

https://community.sw.siemens.com/s/question/0D54O00007EEuEDSA1/log4j-vulnerability

[Krusty 194]

 

Log4j Vulnerability Impact on TcIN, Teamcenter Integration for NX

 

• Affected Software: 
  NX 2007 Series (Dec 2021 Release) and all prior releases
  
  
  Problem:
  A 0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. The vulnerability is dubbed "Log4Shell" (CVE-2021-44228).
  
  Solution:
  The vulnerability and actions described in this SFB are focused on NX integration with Teamcenter, also known as "NX Managed Mode" or "Teamcenter Integration for NX, TcIN".  NX Design is an extensive product line with several optional modules.  There are no vulnerabilities for Log4j in the other NX modules with minor exceptions noted below.
  We take these issues seriously and have come up with a list of areas to apply the preferred workaround. The mitigation is to remove the unused JndiLookup class from the log4j-core-<version>.jar files that are in the NX install kits.
  
  zip -q -d log4j-core-<version>.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
  
               OR
  
  @rem verify the JndiLookup.class file exists in the .jar file
  7z l log4j-core-2.14.0.jar | findstr /i /c:JndiLookup
  @rem remove the JndiLookup.class file
  7z d log4j-core-2.14.0.jar   JndiLookup.class  -r
  @rem verify the JndiLookup.class file no longer exists in the .jar file
  7z l log4j-core-2.14.0.jar | findstr /i /c:JndiLookup
  
  Note: Substitute 7za for 7z on some Linux machines
  
              OR 
  
  Use your favorite jar file GUI editor, navigate to the class, delete it and then save the zip
  
  
  Locating the files to modify:
  There are multiple log4j-core-<version> files to modify depending on the release of NX you have installed.  They can be found by searching your NX installation kits directory for log4j-core.*.jar.
  
  Example nx2007:
  UGII_BASE_DIR\design_tools\shapesearch\GeolusNXIndexer\log4j-core-2.13.2.jar
  UGII_BASE_DIR\design_tools\checkmate\tools\quality_dashboard\TCInterface.jar
  UGII_BASE_DIR\diagramming\pid\library\InstallTool\libs\log4j-core-2.13.0.jar
  UGII_BASE_DIR\ugmanager\soa\tc13000.3.0\log4j-core-2.14.0.jar
  UGII_BASE_DIR\ugmanager\tccs\third_party\mld\tc13.2.0.0.2021012502\log4j-core-2.14.0.jar
  UGII_BASE_DIR\ugmanager\tccs\third_party\TcSS\TcSS13.2\jars\log4j-core-2.14.0.jar
  
  Earlier versions of NX have fewer files to change.
   
  Other impacted modules:
  Shape Search
  NX Diagramming (NX2007 only)
  
  Risk Mitigation:
  1. Apply the workaround to all log4j 2.x deployments
  2. Patches will be made available for all releases under maintenance as soon as possible
  
  References: 
  Log4j Vulnerability Impact on Teamcenter Suite: sfb:8600700 
                 
  
  Application Servers (Tomcat, JBOSS, WebSphere, etc) – contact your vendor

Log4j Vulnerability Impact on Teamcenter Suite

 

A 0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. The vulnerability is dubbed "Log4Shell" (CVE-2021-44228 [1]).


We take these issues seriously and have come up with a list of areas to apply the preferred work around. The mitigation is to remove the JndiLookup class from the log4j-core-<version>.jar which is not used by Teamcenter: 
 
       zip -q -d log4j-core-<version>.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
 
       OR


      @rem verify the JndiLookup.class file exists in the .jar file
      7z l log4j-core-2.14.0.jar | findstr /i /c:JndiLookup
      @rem remove the JndiLookup.class file
      7z d log4j-core-2.14.0.jar   JndiLookup.class  -r
     @rem verify the JndiLookup.class file no longer exists in the .jar file
     7z l log4j-core-2.14.0.jar | findstr /i /c:JndiLookup
            Note: Substitute 7za for 7z on some Linux machines


       OR 


       Use your favorite jar file GUI editor, navigate to the class, delete it and then save the zip


The location of the areas that need to be modified is in spreadsheet "Log4j2-ZeroDay-ComponentList-Public.xlsx"  This file is located  at http://support.sw.siemens.com under Downloads for Teamcenter/Support White Papers/General


 


Impacted Applications by log4j 2.x:
                Teamcenter 13.1+
                Rapid Start 13.1+
                Data Share Manager 13.1+
                Briefcase Browser 13.1+

                Active Workspace 4.3+
                        SOLR 7.7.0 (AW 4.3+) 
                        Retail Footwear & Apparel 4.3+
 
                Teamcenter Microservices Framework 5.1+
                Supplier Collaboration Foundation 5.1+
                Polarion Integration Teamcenter 5.1+


                MBSE Gateway 4.0+
                Deployment Center 3.1+ 
                 Vis Server Manager and Pool Assigner 5.0+ 

                Teamcenter Integration Framework (TcIF) 13.2 and earlier
 
               Teamcenter 11.3 - 12.4 due to 
                      Dispatcher Service 11.3+
                      FMS 11.3+
                     Teamcenter Security Services 11.3+ 
                
                Teamcenter EDA 2.3+
                Mendix Connector 1.0
                
                Teamcenter Technical Publishing 2.10


                Siemens GeolusIndexerTK 10.x and 11.x
                Siemens GeolusTcIntIndexer 10.x and 11.x

                TcSE (standalone RM/SE) 11.2+ 
                CVE Companion to Teamcenter Product Cost Management


All integrations based on Java SOA Client – 11.3+
        NX, Catia, ProE, Creo, SolidWorks, Cadence Allegro, Altium, Cadence ORCAD
        Medical Devices
        Tc Reporting & Analytics
        System Modeling Workbench
        
 
                
Application Servers (Tomcat, JBOSS, WebSphere, etc) – contact your vendor


 


The following products/features are not impacted by log4j 2.x:
                Teamcenter Visualization – all versions
                Product Cost Management – all versions
                PLMVis – all versions
                Rulestream - all versions
                Integrations based on C++ or C# SOA Client:
                         AutoCAD, Inventor
                         Requirements Integrator 
 


Risk Mitigation


1.  Apply the work around to all log4j 2.x deployments
2.  Patches and/or hot fixes will be made available for all releases under maintenance as soon as possible
          a. Patches for Teamcenter 12.x and Active Workspace 4.2/4.3 are targeted for 23-Dec-2021
          b. Patches for Teamcenter 13.x/14.0 and AW 5.x/6.0 are targeted for no later 28-Jan-2022


Note:  Applications using Log4j 1.x may be affected, but potential attacks are limited to the following:


A remote attacker (with previous access to the host) can execute code on the server only if the deployed application is configured to use JMSAppender.  The log4j 1.x version IS vulnerable if the configuration of the following two JMS appender variables (TopicBindingName or TopicConnectionFactoryBindingName) are set up in a way that JNDI can handle.


By default, Teamcenter does not use JMS appender for logging and thus Teamcenter is not as susceptible. 

 

FAQ


1.  We recommend you scan your systems for log4j jars – if you find any with 2.0 – 2.14 versions, they need to be fixed by the SFB method.  You need to check both clients and servers
IF YOU RUN ANY TEAMCENTER NEWER THAN TEAMCENTER 11.2, YOU ARE MOST LIKELY AFFECTED.
2.  This SFB is being updated as needed to reflect what we have learned with changes in bold print - Be sure to subscribe to receive new SFBs in Support Center
3.  Do not confuse the SFB for Active Integration Gateway with Teamcenter.  We do not recommend replacing jar files with 2.16 for Teamcenter.
4.  We do NOT recommend replacing jar files with 2.16 because some of our software hardcodes the jar file names.  We are trying to identify which are involved.  We will update the SFB spreadsheet later with software where you can just drop the 2.16 jar file and those packages where you must update a patch from us
5.  We have not fixed the current downloads – so if you download our software, you need to scan again.  I recommend you scan on a regular basis
6.  Most of our integrations (CATIA, ProE, SolidWorks, TCRA) are affected – our software providers are working on patches, but you can fix the jar files just like you would for Teamcenter in the SFB

Изменено 17 декабря 2021 пользователем Krusty

[Krusty 194]

log4j конечно сделал подарок перед рождеством :)

[esergey 74]

https://habr.com/ru/company/kaspersky/blog/596735/

 

https://habr.com/ru/post/596645/

 

 

Изменено 20 декабря 2021 пользователем esergey
добавлена ссылка

[lexx174 373]

17.12.2021 в 22:44, Krusty сказал:

log4j конечно сделал подарок перед рождеством :)

и что, кто-то уже пострадал от этого,в частности пользователи TC/NX? )

для NX10 не актуально?

у нас по моему мало у кого стоит TC12/13, многие еще на NX10-12.Там по-моему старая версия Log4j

[Krusty 194]

7 hours ago, lexx174 said:

и что, кто-то уже пострадал от этого,в частности пользователи TC/NX? )

для NX10 не актуально?

у нас по моему мало у кого стоит TC12/13, многие еще на NX10-12.Там по-моему старая версия Log4j

 

Большинство сидит в закрытых сетях

Что касается 10 наха, а хз.... насколько глубоко надо интерпертировать вот это

NX 2007 Series (Dec 2021 Release) and all prior releases

 

а про Teamcenter:

 

IF YOU RUN ANY TEAMCENTER NEWER THAN TEAMCENTER 11.2, YOU ARE MOST LIKELY AFFECTED.

 

лучше перебдеть, имхо.

Маленький сниппет:

 

...

DIR /s /b log4j-core-*.jar > %MyInputJarList%
"%My7zProg%" d "%%A" org/apache/logging/log4j/core/lookup/JndiLookup.class >> %MyLogFileJarList%

...

 

[Krusty 194]

Продолжим,

https://github.com/logpresso/CVE-2021-44228-Scanner

 

Open a command-prompt window as Administrator

Scan the NX installation folder by typing the following command into the Command-Prompt window:

log4j2-scan.exe --fix UGII_BASE_DIR

Example
C:\Log4J\log4j2-scan.exe --fix "C:\Program Files\Siemens\NX2007"

Notes:
*You must use the full path to the location where the log4j2-scan.exe tool resides on your computer as well as the full path to the UGII_BASE_DIR folder. Your NX installation folder may vary from the example above.

*The command argument to the tool is prefaced by two dashes "-"

Alternatively, you can make these changes manually by following one of these options:

zip -q -d log4j-core-<version>.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

             OR

@rem verify the JndiLookup.class file exists in the .jar file
7z l log4j-core-2.14.0.jar | findstr /i /c:JndiLookup
@rem remove the JndiLookup.class file
7z d log4j-core-2.14.0.jar   JndiLookup.class  -r
@rem verify the JndiLookup.class file no longer exists in the .jar file
7z l log4j-core-2.14.0.jar | findstr /i /c:JndiLookup

Note: Substitute 7za for 7z on some Linux machines

            OR

Use your favorite jar file GUI editor, navigate to the class, delete it and then save the zip


Locating the files to modify (not needed if you use the Logpresso tool):
There are multiple log4j-core-<version> files to modify depending on the release of NX you have installed.  They can be found by searching your NX installation kits directory for log4j-core.*.jar.

Example nx2007:
UGII_BASE_DIR\design_tools\shapesearch\GeolusNXIndexer\log4j-core-2.13.2.jar
UGII_BASE_DIR\design_tools\checkmate\tools\quality_dashboard\TCInterface.jar
UGII_BASE_DIR\diagramming\pid\library\InstallTool\libs\log4j-core-2.13.0.jar
UGII_BASE_DIR\ugmanager\soa\tc13000.3.0\log4j-core-2.14.0.jar
UGII_BASE_DIR\ugmanager\tccs\third_party\mld\tc13.2.0.0.2021012502\log4j-core-2.14.0.jar
UGII_BASE_DIR\ugmanager\tccs\third_party\TcSS\TcSS13.2\jars\log4j-core-2.14.0.jar

Earlier versions of NX have fewer files to change.

Не болёйте!

[esergey 74]

так же тут разбирают примеры с кодом 

https://habr.com/ru/post/597981/