log4j security issue - CVE-2021-44228

BrekekeUserGermany · Post by **BrekekeUserGermany** » Sun Dec 12, 2021 7:45 am

1. Brekeke Product Name and Version:

Brekeke PBX, Version 3.8.3.4, Pro

2. Java version:

Code: Select all

OpenJDK 8u312-b07-1~deb9u1

3. OS type and the version:

Code: Select all

Debian Stretch

4. UA (phone), gateway or other hardware/software involved:

Code: Select all

5. Your problem:

Code: Select all

CVE-2021-44228

Hi all,

as you probably heared through the news there as new security regarding log4j (https://nvd.nist.gov/vuln/detail/CVE-2021-44228).

I've found the following files in the PBX directory:

Code: Select all

/webapps/pbx/WEB-INF/lib$
-rw-r--r-- 1 tomcat tomcat     127 Feb  2  2018 log4j-core.jar
-rw-r--r-- 1 tomcat tomcat  106494 Feb  2  2018 log4j.jar

Do you guys know, if log4j is active used by Brekeke?

How I can find out, which log4j version is used since extracting the log4j.jar file and having a look at the MANIFEST.MF located in the META-INF directory doesn't has much information in it...

And do you know if there's any fix already provided for this? At the moment the Brekeke news feed is empty regarding this.

Looking forward to hear from you.
Best regards

Code: Select all

Brett · Post by **Brett** » Mon Dec 13, 2021 11:52 am

Hi,

Because it looks brekeke PBX doesn't use the log4j 2.x that has the security issue, but uses log4j 1.x, I think brekeke PBX doesn't has this vulnerability.

Thanks,
Brett

BrekekeUserGermany · Post by **BrekekeUserGermany** » Tue Dec 14, 2021 2:01 am

Hi Brett,
many thanks for the feedback !
Do you know, where I can find this information, which log4j version is used?
In the documentation or somewhere else?
I've already had a look at some of the Brekeke documentations but haven't found a hint to that.
Best regards

Brett · Post by **Brett** » Tue Dec 14, 2021 3:09 pm

Hi,

I asked brekeke tech support, just in case.

Here is the answer I got.

---------------

>Log4j packages we are using in our product are not affected by the vulnerability called CVE-2021-44228.
>
>There are two Log4j packages in the product.
>
>
>- Log4j bundled in the GUI part (Tomcat).
>
> It is not affected because it is the customized Log4j (not default).
>
> https://bishopfox.com/blog/log4j-zero-d ... 2021-44228
>
>
> - Log4j bundled in Brekeke SIP Server core.
>
> It is not affected because it is Log4j version 1 not version 2.

Best regards,

BrekekeUserGermany · Post by **BrekekeUserGermany** » Wed Dec 15, 2021 8:16 am

Hi Brett,

thanks again for the feedback.

In the meantime some guys found out, that version 1 seems to be affected as well, so I guess Brekeke PBX / SIP is affected, too?
https://github.com/apache/logging-log4j ... -990494126

Do you know if there's a possibility to let the technical support have a look at this forum/post to update us?
I'm sure everyone using PBX or SIP is curious about what are the next steps from Brekeke.

Best regards

Brett · Post by **Brett** » Wed Dec 15, 2021 12:48 pm

Hi,

Regarding log4j v1, JMSAppender is not enabled as deafult.

Generally speaking, to turn it on, the following parameters are needed on log4j. properties.

log4j.appender.jms=org.apache.log4j.net.JMSAppender
log4j.appender.jms.InitialContextFactoryName=
log4j.appender.jms.ProviderURL=

Best regards,

BrekekeUserGermany · Post by **BrekekeUserGermany** » Thu Dec 16, 2021 5:55 am

Hi Brett,

thanks again for the feedback.
I just had a look at the log4j.properties which hasn't changed since the installation of PBX.

Generally speaking, to turn it on, the following parameters are needed on log4j. properties.

log4j.appender.jms=org.apache.log4j.net.JMSAppender
log4j.appender.jms.InitialContextFactoryName=
log4j.appender.jms.ProviderURL=

Nothing is set per default, as you set, so it should be save

Thanks and best regards