Notice about LOG4J & Cassandra
We have been asked if ConsoleWorks is effected by the LOG4J CVE's: CVE-2021-44228,CVE-2021-44832,CVE-2021-45105,CVE-2021-4104
ConsoleWorks does not directly link, nor make any calls to the Log4j v1.x library that is packaged with another library we do link to, Apache Spark. Any update would have to come from the maintainers of Apache Spark.
The above CVE's are associated with Log4j v2.x and therefore the 1.x version shouldn’t be considered a problem. If the Spark maintainers were to assess a vulnerability, they would issue a new release. We in turn would then need to update ConsoleWorks and include it in our build.
A further question was raised about the possibility of JINDI calls being used in the 1.x version shipped with Spark and TDI Engineering found no JINDI calls in that code.
Update 1/5/22
We've learned that the maintainers of Spark are working on migrating Log4j 1to Log4j 2.17.1at this time, which is in line with mitigating the current CVE's against version 2. We hope to see this version of Spark released soon so that we may download it and begin testing with it to make sure it integrates with ConsoleWorks and it's components properly.
We will of course include any notices of updates to ConsoleWorks in our Release notes when it's becomes available.
Please check this Notice for further updates
Update 2/10/22
ConsoleWorks Security Notice - Log4j Update
Update on Log4j version 1 CVE’s.
As stated before, we are continually monitoring the published issues and vulnerabilities related to Log4j. We have recently become aware of new CVEs related to the usage of Log4j version 1.2.17 in Apache Spark Version 2.3.1 which is installed with ConsoleWorks as part of our CWScriptDatabase feature.
1. CVE-2021-4104: JMSAppender deserialization of untrusted data
2. CVE-2022-23302: JMSSink deserialization of untrusted data
3. CVE-2019-17571: SocketServer class vulnerable to deserialization of untrusted data
4. CVE-2020-9493 and CVE-2022-23307: deserialization issues in Apache Chainsaw
5. CVE-2022-23305: allowing unintended SQL queries to be executed
6. CVE-2020-9488: SMTP appender improper validation of certificate with host mismatch
TDi is currently incorporating log4j 2.17.1 into the CWScriptDatabase for a new release of ConsoleWorks 5.4 to address the above CVEs. This update will not include a new version of Apache Spark which has yet to be released at this time. Until an updated version of Apache Spark can be included into a new release of ConsoleWorks, TDi will be patching the currently included version with the reload4j library. The reload4j project is a fork of Apache log4j version 1.2.17 intended to fix the most pressing security issues.
Until ConsoleWorks 5.4-0u4 is made available and can be installed in your environment, TDi Recommends the following measures for securing your ConsoleWorks server.
Security – While these security vulnerabilities exist within the application TDi recommends that customers shut down the CWScriptDatabase service using the following instructions.
In the ConsoleWorks user interface, under ADMIN: Server Management: CWScript Database, click the Stop Button and de-select the Auto-Start check box. On Windows systems, also open the Windows Services Console and set the Cassandra and Spark services to Disabled.
These steps will not prevent system scanners from finding the Log4j files, but it will make the server safe from the vulnerabilities that exist with them.
Further Security – If desired for further security and to prevent system scanners from flagging the log4j files, you can take the extra steps to remove the CWScriptDatabase, Cassandra, and Spark applications from your ConsoleWorks installation.
This method will allow vulnerability scanners to see your ConsoleWorks server as safe and protect you from bad actors making use of the Log4j security flaws. You will need to follow these steps each time you upgrade ConsoleWorks until we can get the released version of Apache Spark 3.3.0 or greater included with ConsoleWorks. This of course is dependent on the Apache Spark release schedule. We have contacted them to try and move this process along sooner than later.
Instructions for Removal of Software
On all systems do the following first to stop the associated processes:
Go to ADMIN: Server Management: CWScript Database
Click the Stop Button and also de-select the Auto-Start check box, Click Save
Windows:
In Windows Control Panel: Programs and Features: Remove CWScriptDatabase, Spark, then Remove Cassandra.
You will need to repeat this at each ConsoleWorks upgrade until the Log4j issue is resolved in ConsoleWorks
Linux:
The following example output is partial. Yours will be complete
[root@YourServer ~]# yum remove ConsoleWorksCWScriptDatabase.x86_64
....
Installed size: 58 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : ConsoleWorksCWScriptDatabase-1.0-2.x86_64 1/1
Verifying : ConsoleWorksCWScriptDatabase-1.0-2.x86_64 1/1
Removed:
ConsoleWorksCWScriptDatabase.x86_64 0:1.0-2
[root@YourServer ~]# yum remove ConsoleWorksSpark
….
Installed size: 244 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : ConsoleWorksSpark-2.3-1.x86_64 1/1
Verifying : ConsoleWorksSpark-2.3-1.x86_64 1/1
Removed:
ConsoleWorksSpark.x86_64 0:2.3-1
Complete!
[root@ YourServer ~]# yum remove ConsoleWorksCassandra
….
Installed size: 35 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : ConsoleWorksCassandra-3.11-11.x86_64 1/1
Verifying : ConsoleWorksCassandra-3.11-11.x86_64 1/1
Removed:
ConsoleWorksCassandra.x86_64 0:3.11-11
Complete!
You will need to repeat this at each ConsoleWorks upgrade until the Log4j issue is resolved in ConsoleWorks
Update 02/17/2022 regarding Cassandra
CVE-2021-44521 - Cassandra security issue
ConsoleWorks does not configure Cassandra to enable the user-defined functions described in the above CVE, so this vulnerability does not affect our installation.