Omnis Technical Note TNEX0013 Dec 2021
Addressing the remote code execution vulnerability in Apache Log4j (Security Alert CVE-2021-44228)
For Omnis Studio 8.1 or before
By Omnis Engineering.
This tech note is in response to the Oracle Security Alert Advisory CVE-2021-44228, which refers to a remote code execution vulnerability in Apache Log4j - the note was issued on Dec 10, 2021. See more: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
Due to the severity of this vulnerability, we are advising Omnis developers that are using Java (in Web Services prior to Studio 8.1) to check the version of Log4j they are using and to take the necessary action, if any is needed.
The Java class affected is JndiLookup which was added in 2013 in log4j v2 beta 9. We currently distribute v1.2.15, which means our default implementation should not be affected. However, you may have upgraded to a newer version and therefore you may want to take one of the following actions:
1) Upgrade to Log4j v2.16.0 (*see below) using: https://logging.apache.org/log4j/2.x/download.html
2) If you are using log4j v2.10 or above and cannot upgrade, set the following property:
Also, an environment variable could be set up for the same affected versions:
3) Completely remove the JndiLookup class from the classpath, for example by running the following command:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Cloudflare wrote a useful note about the original vulnerability and also offered the above options to mitigate the risk, which you may like to refer to: https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228
*Updated 16.12.21: According to Cloudflare the fix (in Log4j v2.15.0) for the original vulnerability introduced a further vulnerability, so the advice now is to upgrade to Log4j v2.16.0, if required. See this note: https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/