Azzera filtri
Azzera filtri

Apache Log4j Vulnerability CVE-2021-44228 - How does it affect Matlab?

161 visualizzazioni (ultimi 30 giorni)
Regarding the Apache Log4j Vulnerability CVE-2021-44228. How does it affect these software products:
  1. Regular locally installed Matlab (Mac, PC, and Linux). All versions : current, plus old/historical.
  2. MATLAB online (web-based version of MATLAB)
  3. The MATLAB MCR runtime library (needed to run standalone executables someone compiled with the MATLAB Compiler Toolbox)
  4. Installers for any Mathworks software product.
MATLAB uses log4j < v2.15
Will you provide a patch, if one is needed?
  6 Commenti
Craig Richardson
Craig Richardson il 29 Gen 2024
Is this still the case in 2024? Are there still no versions of Matlab that are affected by log4j?
If so, please release an updated document that reflects that information.

Accedi per commentare.

Risposta accettata

Sebastian
Sebastian il 14 Dic 2021
Modificato: Sebastian il 20 Dic 2021
MathWorks has published the following in the Trust Center (version 3 of 2021-12-18):
MathWorks Response to CVE-2021-44228 and CVE-2021-45046 Apache Log4j vulnerabilities
Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:
  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
  • CVE-2021-45046: the fix for CVE-2021-44228 was incomplete in certain non-default configurations.
MathWorks Product Security promptly conducted an assessment across the code base for desktop, server and online applications and determined that MathWorks customers do not need to take any action related to MathWorks products and online applications:
MathWorks Desktop and Server Products
None of MathWorks general release desktop or server products include the affected versions of Log4j and so do not contain the CVE-2021-44228 or CVE-2021-45046 logging vulnerabilities.
MathWorks is not aware of any exploitable vulnerabilities in the log4j framework used in any of our general release desktop or server products.
MathWorks general release desktop or server products includes MATLAB, Simulink, Stateflow, MATLAB Production Server, MATLAB Web App Server, MATLAB Parallel Server, MATLAB Online Server, MATLAB Runtime, MathWorks Product Installer, MATLAB Runtime Installer, all Polyspace products, RoadRunner and any toolboxes or blocksets for any of these. In addition, this includes all previous general releases such as R2021b, R2021a, R2020b, R2020a, and so on.
All online applications have been patched with officially suggested mitigations. After investigation there was no evidence that the vulnerability had been exploited on any of our systems.
Continuing Activities
MathWorks Product Security will continue to monitor this specific set of issues for their potential impact on our products.
  16 Commenti
Jürgen
Jürgen il 22 Dic 2021
Modificato: Jürgen il 22 Dic 2021
How can I find out, whether my applications utilize any of the earlier versions.
If I remove it – how can I find out that my software will not utilize this functionality under yet unforeseen conditions?
The question turns out, to be related to another question I asked myself last week:
How can I find out the code-dependencies in my ‘projects’.
In previous obligations where I used more classical languages the underlying project tool and the necessity to compile ensured such structural coverage at least to my expectations as device-engineer/physicist. Additional code analyzer tools could be used to visualize and track it graphically.
Could anyone give me an advice what the best way is, to do it with Matlab. I know several options in Matlab, but maybe not deeply enough. Maybe there is a ‘good all in one’ overview-article how to do it in the latest releases – to get a good project-feeling?
Walter Roberson
Walter Roberson il 23 Dic 2021
Mathworks tells me that I can check the log4j version by cd'ing matlabroot and using
unzip -p java/jarext/*log4j*.jar META-INF/MANIFEST.MF
Based upon the checks I did (with the toolboxes I have), it looks to me as if ROS (Robot Operating System) actively uses log4j, and that genicam drivers do as well. Beyond that... well, I am concerned about the toolbox/parallel/bin/util/msa_pct.ini which might be implying that some or all of Parallel Computing Toolbox relies upon the utility.

Accedi per commentare.

Più risposte (3)

QMA
QMA il 14 Dic 2021
FYI.. when you download the latest version for installation, there is reference to log4j in 2021b:
./Downloads/MathWorks/R2021b/2021_12_03_21_37_17/archives/3p/log4j_common_1621039475.enc
./Downloads/MathWorks/R2021b/2021_12_03_21_37_17/archives/3p/log4j_common_1621039475.xml
  3 Commenti
Walter Roberson
Walter Roberson il 14 Dic 2021
/3p means "Third party". So some third party product might include it.
Walter Roberson
Walter Roberson il 15 Dic 2021
Modificato: Walter Roberson il 15 Dic 2021
That log4j_common is responsible for installing
filename = fullfile(matlabroot, 'java', 'jarext', 'log4j.jar')
ls(filename)
References in files that I found on my system. I do not have all toolboxes and official support packages installed, so there might be additional instances
./sys/ros1/maci64/ros1/share/ros/config/rosconsole.config:log4j.logger.ros=INFO
./sys/ros1/maci64/ros1/share/ros/config/rosconsole.config:log4j.logger.ros.roscpp.superdebug=WARN
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j-core.jar" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: dir="${rsrc}/log4j"
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: includes="log4j.properties" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <unjar src="${lib}/log4j-core.jar" dest="${build}" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <unjar src="${lib}/log4j-core.jar" dest="${build}" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j.properties"/>
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="org/apache/log4j/**"/>
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j-core.jar" />
./toolbox/parallel/bin/util/msa_pct.ini:java/jarext/log4j.jar
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4j.rootCategory=ERROR, Console
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4cpp.appender.Console=org.apache.log4j.ConsoleAppender
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4cpp.appender.Console.layout=org.apache.log4j.PatternLayout
./toolbox/matlab/compatibility/codeAnalyzerChecks.json: "package" : "org.apache.log4j",
./toolbox/matlab/compatibility/codeAnalyzerChecks.json: "org.apache.log4j"
./mcr/toolbox/parallel/bin/util/msa_pct.ini:java/jarext/log4j.jar
I think the .json is just for code completion suggestion purposes, rather than being an invocation of the code.
sys/ros1 is part of ROS (Robot Operating System) toolbox, https://www.mathworks.com/help/ros/index.html
Genicam is a camera interface, https://www.mathworks.com/help/imaq/genicam-gentl-hardware.html . I do not have the Image Acquistion Support Package for GeniCam Interface installed, but I still have those driver files.
I just opened a support case reporting these files.

Accedi per commentare.


Shahed Sherkat
Shahed Sherkat il 18 Dic 2021
How about vulnerabulut to CVE-2021-4104 ?
I have found 4 potentially vulnerable files in my Matlab R2017b.
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\aps_impl\pubsub_impl_java\pubsub_impl.jar, log4j 1.2.17
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\lais_server_impl\lais_server_impl.jar, log4j N/A - potentially vulnerable
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\log4j.jar, log4j 1.2.15
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\mcr\toolbox\matlab\connector\jar\3p.jar, log4j 1.2.17
Please adivce.
Thanks,
Shahed
  4 Commenti
Walter Roberson
Walter Roberson il 11 Gen 2022
I don't think the US government has any authority in my country. I am not even clear that it has the authority to require such a thing inside the USA.
It does plausibly have authority to tell US Federal Government departments and US Federal Government Contractors that they must remove such software for security reasons.
Nicholas Clark
Nicholas Clark il 18 Feb 2022
In addition to CVE-2021-4104, now potentially included are: CVE-2019-17571, CVE-2020-9488, and CVE-2022-23302.

Accedi per commentare.


Steve Peppas
Steve Peppas il 25 Mar 2022
Modificato: Steve Peppas il 25 Mar 2022
Hey guys, i have found a convenient "hack" to mitigate the log4j vulnerability if you feel unsafe like me. Here is what i did:
1) Downloaded log4j-core-2.17.2 and added it to matlab/java/jarext folder.
2) Added it to the classpath.txt which is found in matlab/toolbox/local.
3) Deleted the previous log4j.jar in matlab/java/jarext.
4) Downloaded the log4j-1.2-api-2.17.2 logging bridge, added it to matlab/java/jarext and renamed it to log4j.jar
5) Last, downloaded the log4j-api-2.17.2, copied the logging folder in it and put it at the above log4j.jar in org.apache path.
I am using Ubuntu 20.04.4 OS.
  3 Commenti
Vincent Sherart
Vincent Sherart il 19 Set 2022
Please excuse the java noob question, but I know very little about java programming. On the last step above, step 5, I get as far as using the jar utility to extract the contents fo the log4j-api*jar file, but I'm confused about section that says put logging folder above log4j.ar in org.apache path. Can someone provide more detail on this step?
For example, if I have MATLAB installed in /opt/MATLAB/R2021a, does the logging directory go somewhere in the /opt/MATLAB/R2021a/java dir structure?
Thanks,
Vince
Steve Peppas
Steve Peppas il 20 Set 2022
Hey Vince, every .jar file is like a .zip file, meaning you can extract the files, copy and paste them.
So, for Step 5, copy the logging folder inside log4j-api-2.17.2.jar and paste it in the (new) log4j.jar in org/apache path inside log4j.jar.
Hope this is clear enough.

Accedi per commentare.

Categorie

Scopri di più su Startup and Shutdown in Help Center e File Exchange

Prodotti


Release

R2019b

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by