[nSeal/SAM] Vulnerability in Apache Log4j Library (CVE-2021-44228)
Summary
On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j versions prior to 2.15.0 was disclosed:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
Products Investigation
Netrust has completed the investigation on our products and the following product(s) are not affected:
- SAM-SAML
The following product(s) are found to be affected:
- nSeal version 1.0.5
- SAM-OIDC version <=1.0.18
The interim vulnerability fix for Windows and Linux can be found below:
Workarounds (Windows)
1. Navigate to the Tomcat\bin folder and click on <Tomcat service>w.exe
2. Select Java tab, under Java Options, add the following line:
‐Dlog4j2.formatMsgNoLookups=True
3. Click Apply then click OK
4. Restart the Tomcat service
5. Full end to end can be tested after restarting the service
Workarounds (Linux)
1. Navigate to the following file path: /etc/systemd/system/
2. Open up the tomcat.service file in an editor (vi/nano)3. Add the following line to the JAVA_OPT: -Dlog4j2.formatMsgNoLookups=true
From:
To:
4. Restart tomcat service by running the following command:
systemctl restart tomcat
5. Full end to end can be tested after restarting the service
Note: A patch will be released to permanently address the vulnerability.
Related Articles
[nSign] Vulnerability in Apache Log4j Library (CVE-2021-44228)
Summary On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j versions prior to 2.15.0 was disclosed: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP ...[Transaction Signing] Vulnerability in Apache Log4j Library (CVE-2021-44228)
Summary On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j versions prior to 2.15.0 was disclosed: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP ...SAM-OIDC configuration change for NDI Migration
NDI migration (Windows version) 1. Changing Configuration -Locate to the sam-oidc config folder (Note: the folder will be located within C drive if there is only C drive within the server. Else it will be located within other 'Drive") (Note: the sam ...[SAM] Tomcat Upgrade Guide for Windows
1 Download latest version of Apache Tomcat Select 32-bit/64-bit Windows Service Installer Transfer Installer into Windows Server Hosting Netrust Application 2. Tomcat Upgrade 2.1. Files and Configuration Backup Create a folder ‘<Netrust ...[nSign] Tomcat Upgrade Guide for Windows
1 Download latest version of Apache Tomcat Select 32-bit/64-bit Windows Service Installer Transfer Installer into Windows Server Hosting Netrust Application 2. Tomcat Upgrade 2.1. Files and Configuration Backup Create a folder ‘<Netrust ...