Dear CBA Live Assist customers and partners,
On Thursday, December 9, 2021, a high severity vulnerability (CVE-2021-44228) impacting multiple versions of a widely distributed Java software component, Apache Log4j 2, was disclosed publicly. This vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.
We have confirmed that CVE-2021-44228 will not impact the following CBA products which use Log4j version 1.2.16:
- Fusion Application Server (all versions)
- Fusion Client SDK (all versions)
- Live Assist Core (all versions)
We are currently checking the impact of this vulnerability on all versions of Fusion Media Broker. We will keep all our customers notified as this progresses.
For details on the vulnerability, kindly see: https://logging.apache.org/log4j/2.x/security.html
If you require further information, please contact us at support@cbaliveassist.com.
Thank you,
Communication Business Avenue, Inc
Update 14th Dec 2021
CBA confirmed that Fusion Media Broker uses Log4j 2.0 and is actively working on a fix to CVE-2021-44228. We will release a patch to mitigate this vulnerability within a couple of days.
We will update this post with more information as soon as it becomes available. If you have any questions, please contact us at support@cbaliveassist.com.
Update 15th Dec 2021
Workaround
CBA is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell or LogJam. To help mitigate the risk of CVE-2021-44228 until a complete security patch can be applied, customers should consider the following mitigation steps.
Change the logging level of the MediaBroker log from DEBUG to INFO. Please perform these steps with the same user account that was used to perform the original installation.
cd /opt/cafex/FCSDK-3.3.12/media_broker/rtp-proxy-template
cp log4j2-async.xml log4j2-async.xml.bak #####for BACK-UP
vi log4j2-async.xml
A service restart is required for the changes to take effect.
service fusion_media_broker restart
If you have multiple Media Brokers in a cluster, you may change the logging level by excuting this script on each MB: mediabroker_log_level_to_info.sh
Please assign executable permission to the .sh file.
#!/bin/bash
echo "****************************************************************"
echo "This script will change the log level of the MediaBroker log"
echo "****************************************************************"
files="/opt/cafex/*/media_broker/rtp-proxy-template/log4j2-async.xml"
for file_path in $files; do
echo $file_path
cp $file_path ${file_path}.backup
sed -i -e "s/level=\"debug\"/level=\"info\"/g" $file_path
done
echo "process finished"
A service restart is required for the changes to take effect.
service fusion_media_broker restart
For any assistance or issues, please contact us at support@cbaliveassist.com.
Update 20th Dec 2021
Mitigation jar and steps to remediate CBA media broker from this high severity vulnerability (CVE-2021-44228)
CBA Fusion Media Broker all versions use Log4j 2.0 and lie under CVE-2021-44228.
Fixed Patch Jar can be downloaded from our download portal:
https://support.cba-japan.com/?wpdmpro=log4j-patch-for-media-broker
This patch will only be applied to the below-listed versions:
- 3.3.21
- 3.3.22
- 3.3.23.1
- 3.4.0
- 3.4.1
For any other version, the customer should either upgrade to 3.4.1 and then apply the patch or else go directly to 3.4.2 using the FCSDK installer (in upgrade mode).
To apply the patch you will need to do the following:
# tar -xf log4j-patch-1.0.tar
# cd log4j-patch
# ./run-patch.sh
You will see output like the following:
saving old files into /opt/cafex/FCSDK-3.4.0/media_broker/save-old
deleting: META-INF/MANIFEST.MF
deleting: META-INF/MANIFEST.MF
updated manifest
updated manifest
patch applied successfully;
Now restart the fusion_media_broker service
# service fusion_media_broker restart
If the media_broker directory is only writeable by root the last step must be performed as root e.g.
# sudo ./run-patch.sh
The media broker should then be restarted using
# sudo service fusion_media_broker restart
You may experience a minute or 2-minute downtime. To check that the MB is running OK ensure that there is logging output shown from
# tail -f rtp-proxy-instances/mb-0/proxy.log
For any assistance or issues, please contact us at support@cbaliveassist.com.
Update 21 Dec 2021
New vulnerability was reported as CVE-2021-45105.
Our engineering team confirmed our product is not affected by this vulnerability.
CBA Live Assist does not use context lookups in our log4j configuration.
Update 05 Jan 2022
Another new vulnerability was reported as CVE-2021-44832.
Our engineering team confirmed our product is not affected by this vulnerability.
( Note: We are going to use the 2.17.1.jar in our latest build FCSDK 3.4.3 and above)
Comments
0 comments
Please sign in to leave a comment.