Log4J2 Vulnerability to Zero-Day Exploit within CodeSonar and CodeSentry

Overview

GrammaTech has actively responded to the remote code execution vulnerability in the Apache log4j 2 Java library dubbed Log4Shell (or LogJam). We have investigated and taken action for GrammaTech products that may be potentially impacted, and as listed below we continually publish information to help customers detect, investigate and mitigate attacks, if any, to their GrammaTech products and services. 

CodeSonar's Java and .NET analyses use log4j. The possible attack vector would be through analysis of malicious java or .NET code that has been crafted to take advantage of this vulnerability. It is important to note *no* network servers are affected.

CodeSonar 6.2

This release includes log4j 2.17.0 which resolves the threat posed by remote code execution and does not require any changes. 

CodeSonar 6.0 and 6.1

Customers not analyzing java or .NET code (i.e., running cs-java-scan or cs-dotnet-scan) are not affected.  Customers not analyzing java or .NET code can delete codesonar-CodeSonar_DIR/csurf/lib/codesonarj-cli-pp/log4j-*.jar to silence complaints from vulnerability scanning tools, without fear of breaking CodeSonar.

Customers who are analyzing Java or .NET code should mitigate the risk by using a patched release of CodeSonar.  If you are not using a patched installer removing the JndiLookup and JndiManager classes from CodeSonar_DIR/csurf/lib/codesonarj-cli-pp/log4j-core.jar would eliminate risk, but may or may not cause CodeSonar to experience errors.

CodeSonar 5.4 and earlier

With CodeSonar 5.4 and earlier, log4j is only used if cs-java-scan or cs-dotnet-scan is used with the '-julia-analyze' command line flag. To silence complaints from vulnerability scanning tools, one can delete codesonar-5.4p0/third-party/julia-tools/lib/log4j-*.jar and codesonar-5.4p0/third-party/julia-sarif/lib/log4j-*.jar. As long as '-julia-analyze' is not used, CodeSonar functionality will not be impaired.

If you are using Standalone CodeSonar 3.2 (Java/C#) or JuliaSoft 3.0 then the advice is to move to a supported release of CodeSonar, namely 6.x. If you require assistance in upgrading please submit a  ticket.

Patched Installer Updates

The following timelines for patched releases can be found below.

As per the Apache home page, the fix to CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. In version 2.16.0, Log4j disables access to JNDI by default, see CVE-2021-45046. In version 2.17.0, there is a fix, so does not always protect from infinite recursion in lookup evaluation, see CVE-2021-45105.

Version Log4j Version Release Timeline
CodeSonar 6.2 (New Release - source & binary)

p1 included 2.17.0

p2 included 2.17.1

p2 released Friday 7th January 2022, which has superseded p1

CodeSonar 6.1 (source & binary)

p3 included 2.17.0

p3 released Wednesday 22nd Dec 2021 and has superseded p2

CodeSonar 6.0 (for source only)

p2 included 2.17.0

p2 released Thursday 23rd Dec 2021 and superseded p1

Earlier Versions beyond 6.0
2.11.2
Only active releases will be patched, see Product Support matrix

 

Downloading Updated Installers

Downloading CodeSonar for Source can be done here

Download CodeSonar for Binaries can be done here

Latest Log4j Updates

In version 2.17.0, a vulnerability to RCE via JDBC Appender when attacker controls configuration, see CVE-2021-44832 was reported and the following advice is available to customers.

GrammaTech has carefully evaluated the risk of the most recently reported vulnerability in log4j. Based on the fact that the exploit requires elevated privilege and direct access to the configuration of log4j in CodeSonar, we have assessed the risk to our users as low. 

On Friday 7th January 2022, CodeSonar 6.2p2 was released which now includes log4j 2.17.1 and supersedes 6.2p1 which was released on Tuesday 21st December 2021. At this time no further patching will take place on any supported version of CodeSonar which includes 6.1p3 and 6.0p2. 

We will assess and update alternative strategies, and will update our plans for future remediation if there are any changes to log4j. 

If you do have any other questions or concerns please submit a ticket.  

Article Change History

Modification Date Changes Performed
12/13/2021 Article created
12/15/2021 Added "codesonar-5.4p0/third-party/julia-sarif/lib/log4j-*.jar." to CodeSonar 5.4 and earlier.
12/15/2021 Added Patched Installer Updates Table.
12/15/2021 Enabled comments to be added to article which will generate email notifications.
12/15/2021 Added Article Change History Table.
12/16/2021 Updated text under Patched Installer Updates. Further delays for CodeSonar patched installers but provisional date set for CodeSonar 6.1. 
12/16/2021 Timelines for 6.0/6.1/6.2 updated in Patched Installer Updates
12/17/2021 Remove references of log4j v2.15.0 which will NOT be included in patched installers.
12/17/2021 CodeSonar 6.1p2 is now available to download, see Patched Installer Updates
12/20/2021 Apache Updates for log4j and revised timelines for patched/unpatched CodeSonar versions, see Patched Installer Updates 
12/20/2021 Added Downloading Updated Installers and CodeSonar 6.2p0 is now available for download, see Patched Installer Updates
12/21/2021 CodeSonar 6.2p1 has superseded p0 and is now available for download, timelines for 6.1p3 and 6.0p2 have been added, see Patched Installer Updates
12/22/2021 CodeSonar 6.1p3 has superseded p2 and is now available for download, timeline for 6.0p2 have been updated, see Patched Installer Updates
12/23/2021

CodeSonar 6.0p2 has superseded p1 and is now available for download, see Patched Installer Updates

All supported versions of CodeSonar have now been patched with log4j 2.17.0.

12/23/2021

Added CodeSonar 6.2

12/24/2021

Revised wording across the article to ensure language is accurate because patched installers have now been completed for all supported releases of CodeSonar. 

12/29/2021

Apache Updates for log4j, see CVE-2021-44832 and 2.17.1 which was released on 12/28/2021.

Currently assessing impact of new vulnerability and whether any changes are needed to CodeSonar supported versions. 

1/5/2022

Added Latest Log4j Updates in regards to log4j 2.17.1

1/5/2022

Updated CodeSonar 5.4 and earlier in respect to Standalone CodeSonar 3.2 (Java/C#) and legacy Juliasoft customers.

1/7/2022 CodeSonar 6.2p3 has superseded p2 and is now available for download, see Patched Installer Updates and Latest Log4j Updates
1/12/2022 Minor language changes to Latest Log4j Updates explaining what updates will be made on strategy if there are any changes in log4j. 

 

We recommend you follow the support advisory section and this article to receive email updates on when comments are added to this article.

Was this article helpful?
9 out of 9 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

GrammaTech Resource Library
Welcome to GrammaTech's resource library. Here you will find useful information about software development in the IoT era, where devices must not only function with impeccable quality and safety but also remain resilient to cyber attacks.
Shift Left Academy
Shift Left Academy is an educational resource to help implement a security first approach. Shift Left focuses on finding and preventing defects and security vulnerabilities early in the software development process
Blog
Posts by topic including static analysis, software assurance, and binary analysis