Question
Andy Stobirski · Dec 13, 2021

Log4Shell Apache exploit / Intersystems products

Hi everyone

I see that a new Apache bug has been discovered, and since various InterSystems products use an Apache webserver, have Intersystems released any news or updates on this? I'm not seeing any updates, press releases from them. Anyone know anything?

Andy

Product version: IRIS 2021.2
0
0 648
Discussion (7)2
Log in or sign up to continue

The Apache HTTP Server is not written in Java (See this StackExchange post)

The security exploit refers to a very popular java logging implementation, log4j. Log4j is published under the Apache Foundations name, but is not to be confused with the Apache http server (also called httpd occasionally).

That said, you might want to check if you are using any Java libraries in your InterSystems products via the Java gateway - and if they are bundled with log4j for logging. Also check if you are having log4j directly in your Java classpath. What you are looking for is the log4j.jar.

If you want to check a library, you can download the jar of the library and open it with 7zip or similar tools, then take a look and check if it contains log4j.jar. If it does, you should get in touch with the creator of the library.

Disclaimer: I am not part of InterSystems, this is of course not an official statement. I am just a Java developer that had to deal with this today a bit!

We got an answer from ISC:

====
IRIS and Cache do use log4j but our products do not include versions affected by this vulnerability. This vulnerability affects versions from 2.0-beta9 to 2.14.1. The log4j versions used in Cache and IRIS product are based on version 1.x of log4j which is not affected by this issue.
====


But of course one can use Log4j 2.* in your own Java applications.

I'm surprised you got an answer as I was unable to get one over the weekend until ISC makes any official statement. However, re: the 1.x comment:

2031667 – (CVE-2021-4104) CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (redhat.com)

The only usage of log4j I could find within an ISC platform was on Clinical Viewer. Curious if you could share where it is otherwise seen as being used? Maybe compiled into one of their own libraries and not directly exposed however.

I'll just repost @Dmitry Maslennikov grep from the community discord here, which might give you a hint where to look until ISC updated the official statement

$ grep -ir log4j /usr/irissys/
/usr/irissys/lib/RenderServer/runwithfop.bat:rem set LOGCHOICE=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger
Binary file /usr/irissys/dev/java/lib/h2o/h2o-core-3.26.0.jar matches
Binary file /usr/irissys/dev/java/lib/uima/uimaj-core-2.10.3.jar matches
Binary file /usr/irissys/dev/java/lib/1.8/intersystems-integratedml-1.0.0.jar matches
Binary file /usr/irissys/dev/java/lib/1.8/intersystems-cloudclient-1.0.0.jar matches
Binary file /usr/irissys/dev/java/lib/1.8/intersystems-cloud-manager-1.2.12.jar matches
Binary file /usr/irissys/dev/java/lib/datarobot/datarobot-ai-java-2.0.8.jar matches
/usr/irissys/fop/fop:# LOGCHOICE=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger
/usr/irissys/fop/fop.bat:rem set LOGCHOICE=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger
Binary file /usr/irissys/fop/lib/commons-logging-1.0.4.jar matches
Binary file /usr/irissys/fop/lib/avalon-framework-impl-4.3.1.jar matches
/usr/irissys/fop/lib/README.txt:    (Logging adapter for various logging backends like JDK 1.4 logging or Log4J)
Binary file /usr/irissys/fop/lib/pdfbox-app-2.0.21.jar matches

That's interesting!


@Dmitry Maslennikov posted a quick grep on the community discord and found a few occurrences in the machine learning and fop parts. 

So I guess these parts are those that might potentially be affected - but actually not, since they are still log4j v1!

 

You can also open your log4j.jar as you would a zip file, go to the META-INF folder, open MANIFEST.MF and look for "Implementation-Version" to see which version of log4j it is.