A zero-day exploit has been reported against the Apache logging library — Log4j – that can allow an attacker to remotely execute code. This vulnerability has been reported with the highest criticality ranking of 10/10 and requires immediate attention to mitigate the risk.
At this time, CANARIE’s CAF infrastructure supporting eduroam and Federated Identity Management (FIM) is not affected. All systems have been patched and we are working closely with our Cybersecurity team to monitor all potential impacts. Given the severity of the Log4J2 vulnerability, we advise you to apply all current patches and follow the recommendations below.
This is a dynamic situation and guidance may adjust as the global identity and access management community learns more and findings are shared.
Recommended Action
The vulnerable Log4j2 library (v.2.0 to v.2.14.1) is present in the log4j-core.jar. This must be updated immediately to version v2.16.0 or newer.
For more information on the risks associated with Log4j, review the details at log4shell.com.
Current Status of CAF Services
Federated Identity Management (FIM)
Shibboleth IdP / SP software components: Not affected
Reference: https://shibboleth.net/pipermail/announce/2021-December/000253.html
ADFS and ADFSToolkit: Not affected
Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
Supporting Web Servers
Tomcat: May be affected, depending on age and configuration. Recommendation: Scan and remediate.
If you rely on the Shibboleth IdP Docker Container built by Internet2 Trusted Access Platform Release, upgrade to at least i2incommon/shib-idp:4.1.4_20211214 that has Log4J v2.16.
Jetty 9.4: Likely not affected.Recommendation: To be safe, scan.
Endorsed IdP Platforms
Apereo CAS: Versions 6.3+ are affected. Recommendations: Immediately mitigate by updating to the latest versions (at the time of writing) of each branch of CAS:
- 6.3.x – Modify your CAS overlay to point to Version 6.3.7.2.
- 6.4.x – Modify your CAS overlay to point to Version 6.4.4.
See: https://apereo.github.io/2021/12/11/log4j-vuln/ for additional details.
SimpleSAMLPHP: Does not appear to be affected (not Java-based)
SATOSA: Does not appear to be affected (not Java-based)
eduroam
We are not aware of any impact on RADIUS servers supporting eduroam (Radiator, FreeRADIUS, Microsoft NPS). However, while these servers may be unaffected, your platform to manage them or the tools you use for retaining and managing log data may be vulnerable. Recommendation: Please review your Wi-Fi platform vendor’s status for their state as they may require updating.
What does remediation look like?
Please co-ordinate your efforts with your Chief Information Security Officer (CISO) and/or cybersecurity leads to review where Log4j may exist.
Note that while Log4j may be a file on disk in the form of log4j-core#.#.#.jar, it may also be contained within the WAR and EAR distributions (zipped compressed). This means scanning for just the file “log4j-core\*.jar” may work on the command line, but it won’t detect it inside these compressed files.
As you scan, review systems for updates and bring them current to the latest software versions via auto-updates; yum for CentOS, and apt for Ubuntu/Debian. Restart the services for the new files to take effect.
Keep Up to Date to Keep Secure.
- Keep your systems current with the latest patches.
- For Log4j, we recommend tracking this site: https://logging.apache.org/log4j/2.x/security.html for the latest information.
- Implement the CanSSOC Threat Feed, funded for eligible research and education organizations through our Cybersecurity Initiatives Program. If you’re unsure whether your organization has access to the Threat Feed, contact the CanSSOC team at [email protected]; they are providing temporary access to the Threat Feed and/or their Slack to any institution that makes a request.
- The CanSSOC Analyst team and community members are providing regular updates via their Slack channel
- The Threat Feed is being updated with threat indicators as they are published via open-source resources and through disclosure from institutions.
- Subscribe to the information or announcement lists of key software components.
Support
- Please visit our support page.
- Engage with identity & access management colleagues on the CAF Slack channel
Additional References:
Internet community list of products and releases pertaining to Log4j2:
- https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
- https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
Microsoft’s response/comments on the Log4J issue:
Microsoft 365 Defender Threat Intelligence Team: