Design and build a collaborative user experience for a chance to win cool prizes!
Blog

Vaadin and remote code injection in Log4j

By  
Sami Ekblad
Sami Ekblad
·
On Dec 17, 2021 9:45:23 AM
·

log4j-security

You should have heard about the log4j security issue by now. Vaadin or typical Vaadin applications are not affected by the recent log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046). But we felt that it is important to summarize and reflect what these vulnerabilities may mean for Vaadin users.

When we learned of the issue, we got busy and went through all our public examples, scanned a number of third-party add-ons in the Vaadin Directory for vulnerabilities, and updated logging in some of our internal systems. 

We didn't send out a security advisory because this is a third-party issue that cannot be directly fixed by upgrading your Vaadin version. However, we wanted to share some general information and pointers to help you check the issue in your projects.

What was the problem?

The problem is log4j 2 that is used as a transitive dependency in many Java and Vaadin applications. An improperly protected JNDI feature allows an attacker to control log messages or log message parameters to execute arbitrary code loaded from remote servers when message lookup substitution is enabled.

The most visible finding was Spring Boot, often used together with Vaadin. It includes the affected dependency, but applications are still not vulnerable unless they specifically configured the default logging.

Mitigation in your projects

To fix the issue in your Java project, you should upgrade the log4j dependency to version 2.16.0. Older log4j 1.x versions are not affected by this remote code execution vulnerability.

You can find the instructions for Spring Maven and Gradle projects by following the instructions on the Spring Blog

If you cannot build a new version of your application, you can mitigate this problematic behavior at runtime. You can find detailed instructions on the log4j security page.

In Summary 

As mentioned, Vaadin projects are not by default using log4j, but you may have used it in your projects intentionally or unintentionally. If you are using log4j, upgrade to a safe version. If you ever have any questions about Vaadin application security, it is always good to ask our experts

Let us know how things are going

We are interested in how your week has been.  Did you find something in your systems? Are you interested in receiving advisories for third-party issues like these from us directly in the future? Do you follow other channels for security updates? We are discussing this and other matters in our Discord channel  - jump in and chat with us there, so we can be sure to keep you up to date via whatever channel[s] work best for you.

References

Sami Ekblad
Sami Ekblad
Sami Ekblad is one of the original members of the Vaadin team. As a DX lead he is now working as a developer advocate, to help people the most out of Vaadin tools. You can find many add-ons and code samples to help you get started with Vaadin. Follow at – @samiekblad
Other posts by Sami Ekblad