Security implications of Apache Log4j vulnerabilities

Bulletin ID
LCSEC21-01
Date published
2021-12-12
Priority
1
Severity
Important

Priority and severity ratings are determined as described here.

Date Update
2021-12-21 10.39 New version of Lime BI is now available.
2021-12-21 08.30 Simplified Lime BI mitigation instruction.
2021-12-20 08.48 Added info regarding CVE-2021-45105.
2021-12-15 12.29 Added info regarding CVE-2021-45046.
2021-12-13 16.25 A patch has been published and is available to mitigate the vulnerability.
2021-12-13 15.48 A patch has been created and is being validated.
2021-12-13 11.42 Updated info regarding Elasticsearch.
2021-12-12 20.24 Page created.

A high severity vulnerability (CVE-2021-44228) in the widely used Java logging framework Apache Log4j has been disclosed. Log4j is not directly used in Lime CRM, but it is used via third party components in the following system services:

  • Full-text search
    The Elasticsearch search engine may be susceptible to information leakage caused by the vulnerability.
  • Lime BI add-on
    Metabase powers the BI engine in Lime BI and is affected by the vulnerability when installed on-premises.

A related vulnerability (CVE-2021-45046) was disclosed 2021-12-14. Lime BI is not affected by this vulnerability. Applying the patch for Lime CRM (below) will also remediate any possible vulnerability to CVE-2021-45046.

Yet another vulnerability (CVE-2021-45105) was disclosed 2021-12-16. Applying the existing Lime CRM patch (below) will remediate the vulnerability (denial of service). No mitigation exists for Lime BI, await official update.

Product Version Platform
Lime CRM ⇐ 2021.1.523 On-premises
Lime BI < 3.32.0 On-premises

Updated installers for Lime CRM and Lime BI will be released when ready. Until then perform mitigation actions as detailed below.

There are patches available for both Lime CRM and Lime BI. Depending on which service you are using both need to be applied.

Lime CRM

Download and execute the Python script found here. The script supports all versions of Lime CRM and needs to be run with admin privileges. It will automatically remove the vulnerability from the log4j library. Note that the Lime CRM Search Engine service will be restarted.

Usage:

  1. Unzip the downloaded file and copy the contained patch-log4j-cve-2021-44228.py script to a temporary folder on the Lime CRM server.
  2. Launch an elevated command prompt (cmd.exe).
  3. Run the following command to activate the correct Python environment:
    "C:\Program Files (x86)\Lundalogik\procmd.bat"
  4. Apply the patch with the following command (make sure to replace the path to the script):
    python "c:\path\to\patch-log4j-cve-2021-44228.py"

If the installation is not located at C:\Program Files (x86)\Lundalogik\ the following command can be used to specify the correct location:

python "c:\path\to\patch-log4j-cve-2021-44228.py" --installdir "x:path\to\LIME Pro Server"

If the patch is successful the script will output The patch has been applied in green text.

Lime BI

An update of Lime BI is available which can be installed by updating to v3.32.0 or later. This update removes the vulnerability and enables the mitigation below. Note that the installer needs to be re-run as well in order to fully upgrade to the latest version.

For on-premises installations of Lime BI that cannot be updated to the latest version, the vulnerability can be mitigated by modifying Java runtime options. Execute the following command:

"C:\Program Files (x86)\Lundalogik\Python3\Lib\site-packages\nssm\bin\win64\nssm.exe" set lime-crm-bi AppParameters "-Dlog4j2.formatMsgNoLookups=true -jar ""c:\Lime BI\metabase.jar"""

Then restart the Lime BI service:

net stop lime-crm-bi
net start lime-crm-bi
  • Last modified: 19 months ago
  • by Jens Gustafsson