Mitigating the Log4j vulnerability (CVE-2021-44228) on DietPi

M

You may have heard of the critical security vulnerability CVE-2021-44228, which affects Java application which use the Log4j library prior to v2.15.0 for logging. Here is how you can check whether one of your applications is affected, and how to mitigate the vulnerability.

In short, this vulnerability allows an attacker to execute harmful code on the victims system, automatically pulled and executed by the Log4j library, e.g. from an attacker controlled LDAP server. The attacker only needs to be able to directly or indirectly cause log messages by the Java application with a certain snippet embedded. If (HTTP) access details are logged, this could be done by e.g. a request with custom headers or a custom user agent.

First of all, DietPi itself, its core components and the underlying Debian system, do not use Java or the Log4j library. But some of the software options in dietpi-software do. While we did not test whether an attacker is really able to trigger custom log entries, to better be safe than sorry, we list all Java application available in dietpi-software which do use the affected Log4j library versions:

1. Airsonic

The Airsonic version installed via dietpi-software is generally affected. Sadly the project is unmaintained and hence it won’t be patched.
You can however migrate to a fork we are currently testing, which does not use Log4j for logging. It requires at least Debian Buster with Java 11. Run the following command to upgrade/migrate your Airsonic:

curl -fL "$(curl -sSfL 'https://api.github.com/repos/airsonic-advanced/airsonic-advanced/releases' | mawk -F\" '/"browser_download_url": .*\/airsonic\.war"/{print $4}' | head -1)" -o /mnt/dietpi_userdata/airsonic/airsonic.war
systemctl restart airsonic

Update: As an alternative, with the original Airsonic you can mitigate the vulnerability with the commands below.
Update 2: A live patch is now available, run dietpi-update to review and apply it!

sed -i 's/8080 -jar/8080 -Dlog4j2.formatMsgNoLookups=true -jar/' /etc/systemd/system/airsonic.service
systemctl restart airsonic

2. Blynk Server

Blynk Server is affected, too. The issue has been reported to its maintainer with an Log4j dependency version bump proposed. Until the patch has been released, we recommend to reduce logging to a minimum:
Update: You can mitigate the vulnerability with the commands below.
Update 2: A live patch is now available, run dietpi-update to review and apply it!

sed -i 's/java -jar/java -Dlog4j2.formatMsgNoLookups=true -jar/' /etc/systemd/system/blynkserver.service
systemctl restart blynkserver

Check out the pull request status to know when a patch has been released: https://github.com/Peterkn2001/blynk-server/pull/4
Update: A patched release is now available for all systems, but NOT for Stretch and ARMv6 RPi models (RPi 1 and Zero (1)). All others can now reinstall Blynk Server to apply the update:

dietpi-software reinstall 131

3. PaperMC

PaperMC has the issue fixed already with a release which uses Log4j v2.15.0. We hence recommend to update your PaperMC instance as fast as possible:

dietpi-software reinstall 181

4. Nukkit

The same is true for Nukkit, update it with the following command:

curl -fL 'https://repo.opencollab.dev/artifactory/maven-snapshots/cn/nukkit/nukkit/1.0-SNAPSHOT/nukkit-1.0-SNAPSHOT.jar' -o /usr/local/bin/nukkit/nukkit.jar
systemctl restart nukkit

5. MineOS / Minecraft

Minecraft servers, e.g. managed via MineOS, may be generally affected, too. As a rule of thumb, all Minecraft servers prior to v1.18.1 may be affected, hence we recommend to update them as fast as possible. Note that most Minecraft servers from v1.17 on require Java 16 or above, while Debian Buster provides natively Java 11 only. This may be a good reason to upgrade your Buster system to Bullseye: https://dietpi.com/blog/?p=811

Update: If the Bullseye upgrade is not an option at this time, you can mitigate the vulnerability as well by passing the -Dlog4j2.formatMsgNoLookups=true Java command line option with the server’s settings in the MineOS web interface. Further information have been provided by Majong: https://www.minecraft.net/article/important-message–security-vulnerability-java-edition

6. Others

For any other installed Java application, given it is open source, you can check whether it is using Log4j and which version in its source code. In case of Airsonic we did it like that:

  1. Search the source code or repository for “log4j”: https://github.com/airsonic/airsonic/search?q=log4j
  2. It reveals that this library is used, furthermore that the affected version 2.13.2 is used.
  3. Java applications usually use a file named pom.xml which contains dependencies and their versions. In case of Airsonic it is defined here: https://github.com/airsonic/airsonic/blob/master/pom.xml#L93-L104

If the source code is not public for one of your Java applications, please check its release notes for a recent release with an entry about Log4j, else ask the maintainer about it, which serves as an information about this critical security vulnerability in the same turn.
Additionally we collected some lists with affected applications and further notes about how to identify them as references below.

Update: If there is not update/patch for your affected application available, you can mitigate the issue by starting it with a specific command line option:
-Dlog4j2.formatMsgNoLookups=true
I.e. start your application like that:

java -Dlog4j2.formatMsgNoLookups=true -jar /path/to/app.jar

References

Basic information

Affected software lists

Scan your systems

About the author

Avatar of MichaIng
MichaIng

DietPi Project lead (since Feb. 2019), main source code contributor, and the lead of the software improvements, DietPi Forum Administrator.

10 comments

  • Hey! Thanks for this post.
    Airsonic fix gave me “curl: (23) Failure writing output to destination”. So I downloaded the war file from “https://github.com/airsonic-advanced/airsonic-advanced/releases/download/11.0.0-SNAPSHOT.20211209065629/airsonic.war” and put it in “/mnt/dietpi_userdata/airsonic/”.

    Then I restarted the service, and it’s working. I cannot access it with my reverse proxy, but I’ll find a fix.

    • Thanks for testing. Btw, did the Airsonic default web player work OOTB for you? At least on a fresh install I always need to remove and recreate it once before it works, else trying to play or add anything to the query has no effect. One of the reasons why we didn’t migrate with dietpi-software yet.

      Ah yes that error is known since “mawk” breaks the output pipe once it found the URL, and “curl” does not like that. The URL however is then there already and the parent “curl” hence can do the download. I’ll adjust the syntax to avoid the error (and hence possible confusion).

      • Yep. Everything works out of the box (but it’s not a fresh install).
        I just need, like I said, to find a nginx reverse proxy conf that works for me.

    • Thanks for the hint. We have a request about it already: https://github.com/MichaIng/DietPi/issues/4285

      With “Airsonic-Advanced” we seek for an in-place replacement for current Airsonic users, so a way that no data and configs are lost (or minimal), and where it is not required to rename all directories, the service etc ;).

      Navidrome however sounds like a pretty good alternative otherwise, which should be, thanks to Go, much lighter/faster and functional on all distro versions independent of any runtime system version, like Java in case of Airsonic.

  • UPDATE: We just found an effective way to mitigate the vulnerability for affected applications, by executing them with the “-Dlog4j2.formatMsgNoLookups=true” command line option. We added them to the article, updated our install options in dietpi-software for next release and will ship a live patch to have the fixed offered to all our users.

  • After the vuln is before the vuln
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

    „It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. […] Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.„

Avatar of MichaIng By MichaIng

About Author

Avatar of MichaIng

MichaIng

DietPi Project lead (since Feb. 2019), main source code contributor, and the lead of the software improvements, DietPi Forum Administrator.

DietPi Blog

DietPi is an extremely lightweight Debian-based OS, optimised for minimal resource usage, ensuring your SBC runs at its maximum potential!