You may have heard of the critical security vulnerability CVE-2021-44228, which affects Java application which use the Log4j library prior to v2.15.0 for logging. Here is how you can check whether one of your applications is affected, and how to mitigate the vulnerability.
In short, this vulnerability allows an attacker to execute harmful code on the victims system, automatically pulled and executed by the Log4j library, e.g. from an attacker controlled LDAP server. The attacker only needs to be able to directly or indirectly cause log messages by the Java application with a certain snippet embedded. If (HTTP) access details are logged, this could be done by e.g. a request with custom headers or a custom user agent.
First of all, DietPi itself, its core components and the underlying Debian system, do not use Java or the Log4j library. But some of the software options in dietpi-software do. While we did not test whether an attacker is really able to trigger custom log entries, to better be safe than sorry, we list all Java application available in dietpi-software which do use the affected Log4j library versions:
1. Airsonic
The Airsonic version installed via dietpi-software is generally affected. Sadly the project is unmaintained and hence it won’t be patched.
You can however migrate to a fork we are currently testing, which does not use Log4j for logging. It requires at least Debian Buster with Java 11. Run the following command to upgrade/migrate your Airsonic:
curl -fL "$(curl -sSfL 'https://api.github.com/repos/airsonic-advanced/airsonic-advanced/releases' | mawk -F\" '/"browser_download_url": .*\/airsonic\.war"/{print $4}' | head -1)" -o /mnt/dietpi_userdata/airsonic/airsonic.war
systemctl restart airsonicUpdate: As an alternative, with the original Airsonic you can mitigate the vulnerability with the commands below.
Update 2: A live patch is now available, run dietpi-update to review and apply it!
sed -i 's/8080 -jar/8080 -Dlog4j2.formatMsgNoLookups=true -jar/' /etc/systemd/system/airsonic.service
systemctl restart airsonic2. Blynk Server
Blynk Server is affected, too. The issue has been reported to its maintainer with an Log4j dependency version bump proposed. Until the patch has been released, we recommend to reduce logging to a minimum:
Update: You can mitigate the vulnerability with the commands below.
Update 2: A live patch is now available, run dietpi-update to review and apply it!
sed -i 's/java -jar/java -Dlog4j2.formatMsgNoLookups=true -jar/' /etc/systemd/system/blynkserver.service
systemctl restart blynkserverCheck out the pull request status to know when a patch has been released: https://github.com/Peterkn2001/blynk-server/pull/4
Update: A patched release is now available for all systems, but NOT for Stretch and ARMv6 RPi models (RPi 1 and Zero (1)). All others can now reinstall Blynk Server to apply the update:
dietpi-software reinstall 1313. PaperMC
PaperMC has the issue fixed already with a release which uses Log4j v2.15.0. We hence recommend to update your PaperMC instance as fast as possible:
dietpi-software reinstall 1814. Nukkit
The same is true for Nukkit, update it with the following command:
curl -fL 'https://repo.opencollab.dev/artifactory/maven-snapshots/cn/nukkit/nukkit/1.0-SNAPSHOT/nukkit-1.0-SNAPSHOT.jar' -o /usr/local/bin/nukkit/nukkit.jar
systemctl restart nukkit5. MineOS / Minecraft
Minecraft servers, e.g. managed via MineOS, may be generally affected, too. As a rule of thumb, all Minecraft servers prior to v1.18.1 may be affected, hence we recommend to update them as fast as possible. Note that most Minecraft servers from v1.17 on require Java 16 or above, while Debian Buster provides natively Java 11 only. This may be a good reason to upgrade your Buster system to Bullseye: https://dietpi.com/blog/?p=811
Update: If the Bullseye upgrade is not an option at this time, you can mitigate the vulnerability as well by passing the -Dlog4j2.formatMsgNoLookups=true Java command line option with the server’s settings in the MineOS web interface. Further information have been provided by Majong: https://www.minecraft.net/article/important-message–security-vulnerability-java-edition
6. Others
For any other installed Java application, given it is open source, you can check whether it is using Log4j and which version in its source code. In case of Airsonic we did it like that:
- Search the source code or repository for “log4j”: https://github.com/airsonic/airsonic/search?q=log4j
- It reveals that this library is used, furthermore that the affected version 2.13.2 is used.
- Java applications usually use a file named
pom.xmlwhich contains dependencies and their versions. In case of Airsonic it is defined here: https://github.com/airsonic/airsonic/blob/master/pom.xml#L93-L104
If the source code is not public for one of your Java applications, please check its release notes for a recent release with an entry about Log4j, else ask the maintainer about it, which serves as an information about this critical security vulnerability in the same turn.
Additionally we collected some lists with affected applications and further notes about how to identify them as references below.
Update: If there is not update/patch for your affected application available, you can mitigate the issue by starting it with a specific command line option:-Dlog4j2.formatMsgNoLookups=true
I.e. start your application like that:
java -Dlog4j2.formatMsgNoLookups=true -jar /path/to/app.jarReferences
Basic information
- GitHub, vulnerability description: Remote code injection in Log4j
Affected software lists
- GitHub, affected applications list: BlueTeam CheatSheet * Log4Shell*
- GitHub, affected applications list: authomize/log4j-log4shell-affected
- Rumble: Finding applications that use Log4J
Scan your systems
- InfoWorld: How to detect the Log4j vulnerability in your applications
- VentureBeat: How to detect whether you have the Log4j2 vulnerability
- MSSP Alert: Log4j Vulnerability Scanners and Detection Tools: List for MSSPs and Threat Hunters – List of Log4j vulnerability scanner tools that allow MSPs and MSSPs to find & remediate the Log4j vulnerability
- LOGIN TechBlog (German language): Log4j Scanner auf dem Raspberry Pi unter Raspberry Pi OS / DietPi / Ubuntu einrichten
Hey! Thanks for this post.
Airsonic fix gave me “curl: (23) Failure writing output to destination”. So I downloaded the war file from “https://github.com/airsonic-advanced/airsonic-advanced/releases/download/11.0.0-SNAPSHOT.20211209065629/airsonic.war” and put it in “/mnt/dietpi_userdata/airsonic/”.
Then I restarted the service, and it’s working. I cannot access it with my reverse proxy, but I’ll find a fix.
Thanks for testing. Btw, did the Airsonic default web player work OOTB for you? At least on a fresh install I always need to remove and recreate it once before it works, else trying to play or add anything to the query has no effect. One of the reasons why we didn’t migrate with dietpi-software yet.
Ah yes that error is known since “mawk” breaks the output pipe once it found the URL, and “curl” does not like that. The URL however is then there already and the parent “curl” hence can do the download. I’ll adjust the syntax to avoid the error (and hence possible confusion).
Yep. Everything works out of the box (but it’s not a fresh install).
I just need, like I said, to find a nginx reverse proxy conf that works for me.
Good to know, so it’s an issue with the default player added on a fresh install of Airsonic-Advanced only.
Navidrome (https://github.com/navidrome/navidrome/) is a maintained alternative to Airsonic that also implements the Subsonic API. I like it a lot better.
Thanks for the hint. We have a request about it already: https://github.com/MichaIng/DietPi/issues/4285
With “Airsonic-Advanced” we seek for an in-place replacement for current Airsonic users, so a way that no data and configs are lost (or minimal), and where it is not required to rename all directories, the service etc ;).
Navidrome however sounds like a pretty good alternative otherwise, which should be, thanks to Go, much lighter/faster and functional on all distro versions independent of any runtime system version, like Java in case of Airsonic.
Oh yes please add navidrome! It looks like a very good alternative!
UPDATE: We just found an effective way to mitigate the vulnerability for affected applications, by executing them with the “-Dlog4j2.formatMsgNoLookups=true” command line option. We added them to the article, updated our install options in dietpi-software for next release and will ship a live patch to have the fixed offered to all our users.
Update 2: Live patches for mitigating the vulnerability on Airsonic and Blynk Server have been merged. Run “dietpi-update” to review and apply them: https://github.com/MichaIng/DietPi/pull/5077
After the vuln is before the vuln
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
βIt was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. […] Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.β