====== Security implications of Apache Log4j vulnerabilities ======
  ; Bulletin ID : LCSEC21-01
  ; Date published : 2021-12-12
  ; Priority : 1
  ; Severity : Important
  
Priority and severity ratings are determined as described [[security:ratings|here]].

===== Activity log =====
^ Date  ^ Update  ^
| 2021-12-21 10.39  | New version of Lime BI is now available.  |
| 2021-12-21 08.30  | Simplified Lime BI mitigation instruction.  |
| 2021-12-20 08.48  | Added info regarding CVE-2021-45105.  |
| 2021-12-15 12.29  | Added info regarding CVE-2021-45046.  |
| 2021-12-13 16.25  | A patch has been published and is available to mitigate the vulnerability.  |
| 2021-12-13 15.48  | A patch has been created and is being validated.  |
| 2021-12-13 11.42  | Updated info regarding Elasticsearch.  |
| 2021-12-12 20.24 | Page created.  |

===== Summary =====
A high severity vulnerability ([[http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228|CVE-2021-44228]]) in the widely used Java logging framework Apache Log4j has been disclosed. Log4j is not directly used in Lime CRM, but it is used via third party components in the following system services:

  * **Full-text search** \\ The Elasticsearch search engine may be susceptible to information leakage caused by the vulnerability.
  * **Lime BI add-on** \\ Metabase powers the BI engine in Lime BI and is affected by the vulnerability when installed on-premises.

A related vulnerability (CVE-2021-45046) was disclosed 2021-12-14. Lime BI is not affected by this vulnerability. Applying the patch for Lime CRM (below) will also remediate any possible vulnerability to CVE-2021-45046.

Yet another vulnerability (CVE-2021-45105) was disclosed 2021-12-16. Applying the existing Lime CRM patch (below) will remediate the vulnerability (denial of service). No mitigation exists for Lime BI, await official update.

===== Affected versions =====
^ Product  ^ Version  ^ Platform  ^
| Lime CRM  | <= 2021.1.523 | On-premises  |
| Lime BI   | < 3.32.0      | On-premises  |

===== Remediation =====
Updated installers for Lime CRM and Lime BI will be released when ready. Until then perform mitigation actions as detailed below.

===== Vulnerability information =====
==== Detailed summary ====
General details about the vulnerability can be found online, for example at:

  * https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
  * https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java
  * https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/

Details regarding how Elasticsearch is affected [[https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476|can be found here]].

==== Mitigation ====
There are patches available for both Lime CRM and Lime BI. Depending on which service you are using both need to be applied.

=== Lime CRM ===
Download and execute the Python script {{ :security:patch-log4j-cve-2021-44228.zip?nocache |found here}}. The script supports all versions of Lime CRM and needs to be run with admin privileges. It will automatically remove the vulnerability from the log4j library. Note that the Lime CRM Search Engine service will be restarted.

Usage:

  - Unzip the downloaded file and copy the contained ''patch-log4j-cve-2021-44228.py'' script to a temporary folder on the Lime CRM server.
  - Launch an elevated command prompt (cmd.exe).
  - Run the following command to activate the correct Python environment: \\ <code>"C:\Program Files (x86)\Lundalogik\procmd.bat"</code>
  - Apply the patch with the following command (make sure to replace the path to the script): <code>python "c:\path\to\patch-log4j-cve-2021-44228.py"</code>

If the installation is not located at C:\Program Files (x86)\Lundalogik\ the following command can be used to specify the correct location:
<code>python "c:\path\to\patch-log4j-cve-2021-44228.py" --installdir "x:path\to\LIME Pro Server"</code>
If the patch is successful the script will output //The patch has been applied// in green text.

=== Lime BI ===
An update of Lime BI is available which can be installed by updating to v3.32.0 or later. This update removes the vulnerability and enables the mitigation below. Note that the installer needs to be re-run as well in order to fully upgrade to the latest version.

For on-premises installations of Lime BI that cannot be updated to the latest version, the vulnerability can be mitigated by modifying Java runtime options. Execute the following command:
<code>
"C:\Program Files (x86)\Lundalogik\Python3\Lib\site-packages\nssm\bin\win64\nssm.exe" set lime-crm-bi AppParameters "-Dlog4j2.formatMsgNoLookups=true -jar ""c:\Lime BI\metabase.jar"""
</code>

Then restart the Lime BI service:

<code>
net stop lime-crm-bi
net start lime-crm-bi
</code>