You should have heard about the log4j security issue by now. Vaadin or typical Vaadin applications are not affected by the recent log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046). But we felt that it is important to summarize and reflect what these vulnerabilities may mean for Vaadin users.
When we learned of the issue, we got busy and went through all our public examples, scanned a number of third-party add-ons in the Vaadin Directory for vulnerabilities, and updated logging in some of our internal systems.
We didn't send out a security advisory because this is a third-party issue that cannot be directly fixed by upgrading your Vaadin version. However, we wanted to share some general information and pointers to help you check the issue in your projects.
What was the problem?
The problem is log4j 2 that is used as a transitive dependency in many Java and Vaadin applications. An improperly protected JNDI feature allows an attacker to control log messages or log message parameters to execute arbitrary code loaded from remote servers when message lookup substitution is enabled.
The most visible finding was Spring Boot, often used together with Vaadin. It includes the affected dependency, but applications are still not vulnerable unless they specifically configured the default logging.
Mitigation in your projects
To fix the issue in your Java project, you should upgrade the log4j dependency to version 2.16.0. Older log4j 1.x versions are not affected by this remote code execution vulnerability.
You can find the instructions for Spring Maven and Gradle projects by following the instructions on the Spring Blog.
If you cannot build a new version of your application, you can mitigate this problematic behavior at runtime. You can find detailed instructions on the log4j security page.
In Summary
As mentioned, Vaadin projects are not by default using log4j, but you may have used it in your projects intentionally or unintentionally. If you are using log4j, upgrade to a safe version. If you ever have any questions about Vaadin application security, it is always good to ask our experts.
Let us know how things are going
We are interested in how your week has been. Did you find something in your systems? Are you interested in receiving advisories for third-party issues like these from us directly in the future? Do you follow other channels for security updates? We are discussing this and other matters in our Discord channel - jump in and chat with us there, so we can be sure to keep you up to date via whatever channel[s] work best for you.
References
- Vendor advisory: https://logging.apache.org/log4j/2.x/security.html
- Vendor advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Vendor advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- Blog: https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
- Blog: https://www.lunasec.io/docs/blog/log4j-zero-day/#who-is-impacted
- PoC: https://github.com/tangxiaofeng7/apache-log4j-poc
- Artifacts using Log4j: https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/usages
- PR: https://github.com/apache/logging-log4j2/pull/608