9:20 a.m.
Hi,
We checked the RHEL advisories, and saw that RHEL 7 and 8 seem not impacted by log4shell
and RedHat IDM is not explicitly mentioned neither as being safe nor as being vulnerable.
Seeing as pki-tomcat is being used, we found these versions of log4j on the CA master
nodes.
log4j 1.2.17 java-archive
log4j-over-slf4j 1.7.4 java-archive
log4j12 1.7.4 java-archive
It would be great if somebody could help shed some light on this.
Thanks
T
9:58 a.m.
What's the full path to those files exactly? My RHEL 8 IdM (FreeIPA) servers (with CA)
don't have any log4j jars:
$ sudo find / -xdev -type f -name '*log*.jar'
/usr/share/java/commons-logging-adapters.jar
/usr/share/java/commons-logging-api.jar
/usr/share/java/commons-logging.jar
/usr/share/java/jboss-logging/jboss-logging.jar
/usr/share/java/jboss-logging-tools/jboss-logging-annotations.jar
/usr/share/java/jboss-logging-tools/jboss-logging-processor.jar
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1:24 a.m.
On su, 12 joulu 2021, Sam Morris via FreeIPA-users wrote:
What's the full path to those files exactly? My RHEL 8 IdM
(FreeIPA) servers (with CA) don't have any log4j jars:
$ sudo find / -xdev -type f -name '*log*.jar'
/usr/share/java/commons-logging-adapters.jar
/usr/share/java/commons-logging-api.jar
/usr/share/java/commons-logging.jar
/usr/share/java/jboss-logging/jboss-logging.jar
/usr/share/java/jboss-logging-tools/jboss-logging-annotations.jar
/usr/share/java/jboss-logging-tools/jboss-logging-processor.jar
FreeIPA doesn't use Java at all. Dogtag does but it uses SLF4J library to
wrap around different logging mechanisms.
By default, Dogtag would use slf4j-jdk14 bindings, e.g. defaulting to
java.util.logging use.
As far as I can see, this is true for RHEL 7 and RHEL 8.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5:25 a.m.
We have scanned our freeIPA instances and it seems that somehow in PKI
functionality tomcat is being used, which in turn uses log4j.
Does this have an impact?
~]# find / -name \log4j\
/etc/tomcat/log4j.properties
/var/lib/yum/yumdb/l/fcb0a245a2d3b4e92b76136762f22caf2e7fe5f7-log4j-1.2.17-16.el7_4-noarch
/var/lib/pki/pki-tomcat/lib/log4j.properties
/var/lib/pki/pki-tomcat/lib/log4j.jar
/usr/share/doc/log4j-1.2.17
/usr/share/pki/server/conf/log4j.properties
/usr/share/sgml/log4j
/usr/share/sgml/log4j/log4j.dtd
/usr/share/java/log4j.jar
/usr/share/java/tomcat/log4j.jar
/usr/share/java/slf4j/log4j-over-slf4j.jar
/usr/share/java/slf4j/log4j12.jar
/usr/share/java/slf4j/slf4j-log4j12.jar
/usr/share/maven-effective-poms/JPP.slf4j-slf4j-log4j12.pom
/usr/share/maven-effective-poms/JPP-log4j.pom
/usr/share/maven-effective-poms/JPP.slf4j-log4j-over-slf4j.pom
/usr/share/maven-fragments/log4j.xml
/usr/share/maven-poms/JPP-log4j.pom
/usr/share/maven-poms/JPP.slf4j-log4j-over-slf4j.pom
/usr/share/maven-poms/JPP.slf4j-slf4j-log4j12.pom
8:18 a.m.
On ma, 13 joulu 2021, Markus Krause via FreeIPA-users wrote:
We have scanned our freeIPA instances and it seems that somehow in
PKI
functionality tomcat is being used, which in turn uses log4j.
Does this have an impact?
See my response to the other thread (really, why should we have so many
threads?). Sorry for this split to continue.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
7:30 a.m.
below rpm is installed as a dependency for free IPA server install version 4.6.8 on Oracle
Linux 7 .
log4j-1.2.17-16.el7_4.noarch.rpm
can this be confirmed that it doesnt have any impact on the same ?
8:16 a.m.
On ma, 13 joulu 2021, GAURAV Pande via FreeIPA-users wrote:
below rpm is installed as a dependency for free IPA server install
version 4.6.8 on Oracle Linux 7 .
log4j-1.2.17-16.el7_4.noarch.rpm
can this be confirmed that it doesnt have any impact on the same ?
I don't use Oracle Linux 7.
Please read the following carefully.
On latest RHEL 7.9 log4j is pulled as a part of slf4j dependencies
through apache-commons-logging.
The way how slf4j is used by Dogtag is defined by /usr/share/pki/etc/logging.properties
-----------------------------------------------------------------------------
# grep -v '^#' /usr/share/pki/etc/logging.properties
java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n
.level = WARNING
.handlers = java.util.logging.ConsoleHandler
-----------------------------------------------------------------------------
Additionally, Dogtag uses /usr/share/pki/lib as a path where to look
Java libraries:
# rpm -qlv pki-base-java
drwxr-xr-x 2 root root 0 syys 15 21:18 /usr/share/java/pki
-rw-r--r-- 1 root root 682621 syys 15 21:18
/usr/share/java/pki/pki-certsrv.jar
-rw-r--r-- 1 root root 188108 syys 15 21:18
/usr/share/java/pki/pki-cmsutil.jar
-rw-r--r-- 1 root root 420890 syys 15 21:18
/usr/share/java/pki/pki-nsutil.jar
drwxr-xr-x 2 root root 0 syys 15 21:18
/usr/share/pki/examples/java
-rw-r--r-- 1 root root 2723 maalis 29 2020
/usr/share/pki/examples/java/CACertClientExample.java
-rw-r--r-- 1 root root 2964 maalis 29 2020
/usr/share/pki/examples/java/CAClientExample.java
drwxr-xr-x 2 root root 0 syys 15 21:18 /usr/share/pki/lib
lrwxrwxrwx 1 root root 31 syys 15 21:18
/usr/share/pki/lib/commons-cli.jar -> /usr/share/java/commons-cli.jar
lrwxrwxrwx 1 root root 33 syys 15 21:18
/usr/share/pki/lib/commons-codec.jar -> /usr/share/java/commons-codec.jar
lrwxrwxrwx 1 root root 38 syys 15 21:18
/usr/share/pki/lib/commons-httpclient.jar -> /usr/share/java/commons-httpclient.jar
lrwxrwxrwx 1 root root 30 syys 15 21:18
/usr/share/pki/lib/commons-io.jar -> /usr/share/java/commons-io.jar
lrwxrwxrwx 1 root root 32 syys 15 21:18
/usr/share/pki/lib/commons-lang.jar -> /usr/share/java/commons-lang.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/commons-logging.jar -> /usr/share/java/commons-logging.jar
lrwxrwxrwx 1 root root 45 syys 15 21:18
/usr/share/pki/lib/httpclient.jar -> /usr/share/java/httpcomponents/httpclient.jar
lrwxrwxrwx 1 root root 43 syys 15 21:18
/usr/share/pki/lib/httpcore.jar -> /usr/share/java/httpcomponents/httpcore.jar
lrwxrwxrwx 1 root root 44 syys 15 21:18
/usr/share/pki/lib/jackson-core-asl.jar ->
/usr/share/java/jackson/jackson-core-asl.jar
lrwxrwxrwx 1 root root 41 syys 15 21:18
/usr/share/pki/lib/jackson-jaxrs.jar -> /usr/share/java/jackson/jackson-jaxrs.jar
lrwxrwxrwx 1 root root 46 syys 15 21:18
/usr/share/pki/lib/jackson-mapper-asl.jar ->
/usr/share/java/jackson/jackson-mapper-asl.jar
lrwxrwxrwx 1 root root 42 syys 15 21:18
/usr/share/pki/lib/jackson-mrbean.jar -> /usr/share/java/jackson/jackson-mrbean.jar
lrwxrwxrwx 1 root root 41 syys 15 21:18
/usr/share/pki/lib/jackson-smile.jar -> /usr/share/java/jackson/jackson-smile.jar
lrwxrwxrwx 1 root root 38 syys 15 21:18
/usr/share/pki/lib/jackson-xc.jar -> /usr/share/java/jackson/jackson-xc.jar
lrwxrwxrwx 1 root root 28 syys 15 21:18
/usr/share/pki/lib/jaxb-api.jar -> /usr/share/java/jaxb-api.jar
lrwxrwxrwx 1 root root 22 syys 15 21:18
/usr/share/pki/lib/jss4.jar -> /usr/lib/java/jss4.jar
lrwxrwxrwx 1 root root 27 syys 15 21:18
/usr/share/pki/lib/ldapjdk.jar -> /usr/share/java/ldapjdk.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/pki-certsrv.jar -> /usr/share/java/pki/pki-certsrv.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/pki-cmsutil.jar -> /usr/share/java/pki/pki-cmsutil.jar
lrwxrwxrwx 1 root root 34 syys 15 21:18
/usr/share/pki/lib/pki-nsutil.jar -> /usr/share/java/pki/pki-nsutil.jar
lrwxrwxrwx 1 root root 33 syys 15 21:18
/usr/share/pki/lib/pki-tools.jar -> /usr/share/java/pki/pki-tools.jar
lrwxrwxrwx 1 root root 56 syys 15 21:18
/usr/share/pki/lib/resteasy-atom-provider.jar ->
/usr/share/java/resteasy-base/resteasy-atom-provider.jar
lrwxrwxrwx 1 root root 49 syys 15 21:18
/usr/share/pki/lib/resteasy-client.jar ->
/usr/share/java/resteasy-base/resteasy-client.jar
lrwxrwxrwx 1 root root 59 syys 15 21:18
/usr/share/pki/lib/resteasy-jackson-provider.jar ->
/usr/share/java/resteasy-base/resteasy-jackson-provider.jar
lrwxrwxrwx 1 root root 56 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxb-provider.jar ->
/usr/share/java/resteasy-base/resteasy-jaxb-provider.jar
lrwxrwxrwx 1 root root 43 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs-api.jar ->
/usr/share/java/resteasy-base/jaxrs-api.jar
lrwxrwxrwx 1 root root 55 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs-jandex.jar ->
/usr/share/java/resteasy-base/resteasy-jaxrs-jandex.jar
lrwxrwxrwx 1 root root 48 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs.jar ->
/usr/share/java/resteasy-base/resteasy-jaxrs.jar
lrwxrwxrwx 1 root root 27 syys 15 21:18
/usr/share/pki/lib/servlet.jar -> /usr/share/java/servlet.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/slf4j-api.jar -> /usr/share/java/slf4j/slf4j-api.jar
lrwxrwxrwx 1 root root 37 syys 15 21:18
/usr/share/pki/lib/slf4j-jdk14.jar -> /usr/share/java/slf4j/slf4j-jdk14.jar
Only slf4j-jdk14.jar is present there from SLF4J providers. This means
that even when log4j is installed on the system, it is not used by the
Dogtag components.
Regarding Tomcat, the instance configured by Dogtag uses log4j as log4j
is present there and is configured:
---------------------------------------------------------------
/var/lib/pki/pki-tomcat/lib:
drwxrwx---. 2 pkiuser pkiuser 4096 13.12. 08:53 .
drwxrwx---. 7 pkiuser pkiuser 146 13.12. 08:53 ..
lrwxrwxrwx. 1 pkiuser pkiuser 41 13.12. 08:53 annotations-api.jar ->
/usr/share/tomcat/lib/annotations-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 catalina-ant.jar ->
/usr/share/tomcat/lib/catalina-ant.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 catalina-ha.jar ->
/usr/share/tomcat/lib/catalina-ha.jar
lrwxrwxrwx. 1 pkiuser pkiuser 34 13.12. 08:53 catalina.jar ->
/usr/share/tomcat/lib/catalina.jar
lrwxrwxrwx. 1 pkiuser pkiuser 41 13.12. 08:53 catalina-tribes.jar ->
/usr/share/tomcat/lib/catalina-tribes.jar
lrwxrwxrwx. 1 pkiuser pkiuser 45 13.12. 08:53 commons-collections.jar ->
/usr/share/tomcat/lib/commons-collections.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 commons-dbcp.jar ->
/usr/share/tomcat/lib/commons-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 commons-pool.jar ->
/usr/share/tomcat/lib/commons-pool.jar
lrwxrwxrwx. 1 pkiuser pkiuser 28 13.12. 08:53 extras -> /usr/share/tomcat/lib/extras
lrwxrwxrwx. 1 pkiuser pkiuser 35 13.12. 08:53 jasper-el.jar ->
/usr/share/tomcat/lib/jasper-el.jar
lrwxrwxrwx. 1 pkiuser pkiuser 32 13.12. 08:53 jasper.jar ->
/usr/share/tomcat/lib/jasper.jar
lrwxrwxrwx. 1 pkiuser pkiuser 36 13.12. 08:53 jasper-jdt.jar ->
/usr/share/tomcat/lib/jasper-jdt.jar
lrwxrwxrwx. 1 pkiuser pkiuser 31 13.12. 08:53 log4j.jar ->
/usr/share/tomcat/lib/log4j.jar
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 log4j.properties ->
/usr/share/pki/server/conf/log4j.properties
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 tomcat7-websocket.jar ->
/usr/share/tomcat/lib/tomcat7-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser 36 13.12. 08:53 tomcat-api.jar ->
/usr/share/tomcat/lib/tomcat-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 39 13.12. 08:53 tomcat-coyote.jar ->
/usr/share/tomcat/lib/tomcat-coyote.jar
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 tomcat-el-2.2-api.jar ->
/usr/share/tomcat/lib/tomcat-el-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-es.jar ->
/usr/share/tomcat/lib/tomcat-i18n-es.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-fr.jar ->
/usr/share/tomcat/lib/tomcat-i18n-fr.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-ja.jar ->
/usr/share/tomcat/lib/tomcat-i18n-ja.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-jdbc.jar ->
/usr/share/tomcat/lib/tomcat-jdbc.jar
lrwxrwxrwx. 1 pkiuser pkiuser 44 13.12. 08:53 tomcat-jsp-2.2-api.jar ->
/usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-juli.jar ->
/usr/share/tomcat/lib/tomcat-juli.jar
lrwxrwxrwx. 1 pkiuser pkiuser 48 13.12. 08:53 tomcat-servlet-3.0-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-util.jar ->
/usr/share/tomcat/lib/tomcat-util.jar
lrwxrwxrwx. 1 pkiuser pkiuser 39 13.12. 08:53 websocket-api.jar ->
/usr/share/tomcat/lib/websocket-api.jar
---------------------------------------------------------------
---------------------------------------------------------------
# grep -v '^#' /var/lib/pki/pki-tomcat/lib/log4j.properties
log4j.appender.console = org.apache.log4j.ConsoleAppender
log4j.appender.console.Target = System.err
log4j.appender.console.layout = org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern = %p: %m%n
log4j.rootLogger = WARN, console
---------------------------------------------------------------
According to pki-server-logging man page:
--------------------------------------
Log4j
The default Tomcat 7 classpath does include Log4j, but
the server itself is not configured to use Log4j for logging by
default. However, since the Log4j is in the classpath the
RESTEasy will use Log4j for logging automatically (see
https://docs.jboss.org/resteasy/docs/3.0.6.Final/userguide/html/Installat...).
The default Log4j configuration is located at
/usr/share/pki/server/conf/log4j.properties. During server
deployment a link will be created at
/var/lib/pki/<instance>/lib/log4j.properties.
By default only log messages with level WARN or higher will be
logged on the console (i.e. systemd journal).
log4j.appender.console = org.apache.log4j.ConsoleAppender
log4j.appender.console.Target = System.err
log4j.appender.console.layout = org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern = %p: %m%n
log4j.rootLogger = WARN, console
The default Tomcat 8 classpath does not include Log4j, so RESTEasy will use JUL
instead.
For more information see the following documents:
-
http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/ConsoleAppen...
- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/Level.html
- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PatternLayou...
--------------------------------------
So the easest way to mitigate log4j usage is to remove log4j.properties
symlink in the instance directory to avoid loading log4j by tomcat and
RESTEasy.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
9:51 a.m.
On ma, 13 joulu 2021, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 13 joulu 2021, GAURAV Pande via FreeIPA-users wrote:
>below rpm is installed as a dependency for free IPA server install version 4.6.8 on
Oracle Linux 7 .
>
>log4j-1.2.17-16.el7_4.noarch.rpm
>
>can this be confirmed that it doesnt have any impact on the same ?
I don't use Oracle Linux 7.
Please read the following carefully.
On latest RHEL 7.9 log4j is pulled as a part of slf4j dependencies
through apache-commons-logging.
The way how slf4j is used by Dogtag is defined by /usr/share/pki/etc/logging.properties
-----------------------------------------------------------------------------
# grep -v '^#' /usr/share/pki/etc/logging.properties
java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n
.level = WARNING
.handlers = java.util.logging.ConsoleHandler
-----------------------------------------------------------------------------
Additionally, Dogtag uses /usr/share/pki/lib as a path where to look
Java libraries:
# rpm -qlv pki-base-java
drwxr-xr-x 2 root root 0 syys 15 21:18 /usr/share/java/pki
-rw-r--r-- 1 root root 682621 syys 15 21:18
/usr/share/java/pki/pki-certsrv.jar
-rw-r--r-- 1 root root 188108 syys 15 21:18
/usr/share/java/pki/pki-cmsutil.jar
-rw-r--r-- 1 root root 420890 syys 15 21:18
/usr/share/java/pki/pki-nsutil.jar
drwxr-xr-x 2 root root 0 syys 15 21:18
/usr/share/pki/examples/java
-rw-r--r-- 1 root root 2723 maalis 29 2020
/usr/share/pki/examples/java/CACertClientExample.java
-rw-r--r-- 1 root root 2964 maalis 29 2020
/usr/share/pki/examples/java/CAClientExample.java
drwxr-xr-x 2 root root 0 syys 15 21:18 /usr/share/pki/lib
lrwxrwxrwx 1 root root 31 syys 15 21:18
/usr/share/pki/lib/commons-cli.jar -> /usr/share/java/commons-cli.jar
lrwxrwxrwx 1 root root 33 syys 15 21:18
/usr/share/pki/lib/commons-codec.jar -> /usr/share/java/commons-codec.jar
lrwxrwxrwx 1 root root 38 syys 15 21:18
/usr/share/pki/lib/commons-httpclient.jar -> /usr/share/java/commons-httpclient.jar
lrwxrwxrwx 1 root root 30 syys 15 21:18
/usr/share/pki/lib/commons-io.jar -> /usr/share/java/commons-io.jar
lrwxrwxrwx 1 root root 32 syys 15 21:18
/usr/share/pki/lib/commons-lang.jar -> /usr/share/java/commons-lang.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/commons-logging.jar -> /usr/share/java/commons-logging.jar
lrwxrwxrwx 1 root root 45 syys 15 21:18
/usr/share/pki/lib/httpclient.jar -> /usr/share/java/httpcomponents/httpclient.jar
lrwxrwxrwx 1 root root 43 syys 15 21:18
/usr/share/pki/lib/httpcore.jar -> /usr/share/java/httpcomponents/httpcore.jar
lrwxrwxrwx 1 root root 44 syys 15 21:18
/usr/share/pki/lib/jackson-core-asl.jar ->
/usr/share/java/jackson/jackson-core-asl.jar
lrwxrwxrwx 1 root root 41 syys 15 21:18
/usr/share/pki/lib/jackson-jaxrs.jar -> /usr/share/java/jackson/jackson-jaxrs.jar
lrwxrwxrwx 1 root root 46 syys 15 21:18
/usr/share/pki/lib/jackson-mapper-asl.jar ->
/usr/share/java/jackson/jackson-mapper-asl.jar
lrwxrwxrwx 1 root root 42 syys 15 21:18
/usr/share/pki/lib/jackson-mrbean.jar -> /usr/share/java/jackson/jackson-mrbean.jar
lrwxrwxrwx 1 root root 41 syys 15 21:18
/usr/share/pki/lib/jackson-smile.jar -> /usr/share/java/jackson/jackson-smile.jar
lrwxrwxrwx 1 root root 38 syys 15 21:18
/usr/share/pki/lib/jackson-xc.jar -> /usr/share/java/jackson/jackson-xc.jar
lrwxrwxrwx 1 root root 28 syys 15 21:18
/usr/share/pki/lib/jaxb-api.jar -> /usr/share/java/jaxb-api.jar
lrwxrwxrwx 1 root root 22 syys 15 21:18
/usr/share/pki/lib/jss4.jar -> /usr/lib/java/jss4.jar
lrwxrwxrwx 1 root root 27 syys 15 21:18
/usr/share/pki/lib/ldapjdk.jar -> /usr/share/java/ldapjdk.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/pki-certsrv.jar -> /usr/share/java/pki/pki-certsrv.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/pki-cmsutil.jar -> /usr/share/java/pki/pki-cmsutil.jar
lrwxrwxrwx 1 root root 34 syys 15 21:18
/usr/share/pki/lib/pki-nsutil.jar -> /usr/share/java/pki/pki-nsutil.jar
lrwxrwxrwx 1 root root 33 syys 15 21:18
/usr/share/pki/lib/pki-tools.jar -> /usr/share/java/pki/pki-tools.jar
lrwxrwxrwx 1 root root 56 syys 15 21:18
/usr/share/pki/lib/resteasy-atom-provider.jar ->
/usr/share/java/resteasy-base/resteasy-atom-provider.jar
lrwxrwxrwx 1 root root 49 syys 15 21:18
/usr/share/pki/lib/resteasy-client.jar ->
/usr/share/java/resteasy-base/resteasy-client.jar
lrwxrwxrwx 1 root root 59 syys 15 21:18
/usr/share/pki/lib/resteasy-jackson-provider.jar ->
/usr/share/java/resteasy-base/resteasy-jackson-provider.jar
lrwxrwxrwx 1 root root 56 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxb-provider.jar ->
/usr/share/java/resteasy-base/resteasy-jaxb-provider.jar
lrwxrwxrwx 1 root root 43 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs-api.jar ->
/usr/share/java/resteasy-base/jaxrs-api.jar
lrwxrwxrwx 1 root root 55 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs-jandex.jar ->
/usr/share/java/resteasy-base/resteasy-jaxrs-jandex.jar
lrwxrwxrwx 1 root root 48 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs.jar ->
/usr/share/java/resteasy-base/resteasy-jaxrs.jar
lrwxrwxrwx 1 root root 27 syys 15 21:18
/usr/share/pki/lib/servlet.jar -> /usr/share/java/servlet.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/slf4j-api.jar -> /usr/share/java/slf4j/slf4j-api.jar
lrwxrwxrwx 1 root root 37 syys 15 21:18
/usr/share/pki/lib/slf4j-jdk14.jar -> /usr/share/java/slf4j/slf4j-jdk14.jar
Only slf4j-jdk14.jar is present there from SLF4J providers. This means
that even when log4j is installed on the system, it is not used by the
Dogtag components.
Regarding Tomcat, the instance configured by Dogtag uses log4j as log4j
is present there and is configured:
---------------------------------------------------------------
/var/lib/pki/pki-tomcat/lib:
drwxrwx---. 2 pkiuser pkiuser 4096 13.12. 08:53 .
drwxrwx---. 7 pkiuser pkiuser 146 13.12. 08:53 ..
lrwxrwxrwx. 1 pkiuser pkiuser 41 13.12. 08:53 annotations-api.jar ->
/usr/share/tomcat/lib/annotations-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 catalina-ant.jar ->
/usr/share/tomcat/lib/catalina-ant.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 catalina-ha.jar ->
/usr/share/tomcat/lib/catalina-ha.jar
lrwxrwxrwx. 1 pkiuser pkiuser 34 13.12. 08:53 catalina.jar ->
/usr/share/tomcat/lib/catalina.jar
lrwxrwxrwx. 1 pkiuser pkiuser 41 13.12. 08:53 catalina-tribes.jar ->
/usr/share/tomcat/lib/catalina-tribes.jar
lrwxrwxrwx. 1 pkiuser pkiuser 45 13.12. 08:53 commons-collections.jar ->
/usr/share/tomcat/lib/commons-collections.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 commons-dbcp.jar ->
/usr/share/tomcat/lib/commons-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 commons-pool.jar ->
/usr/share/tomcat/lib/commons-pool.jar
lrwxrwxrwx. 1 pkiuser pkiuser 28 13.12. 08:53 extras -> /usr/share/tomcat/lib/extras
lrwxrwxrwx. 1 pkiuser pkiuser 35 13.12. 08:53 jasper-el.jar ->
/usr/share/tomcat/lib/jasper-el.jar
lrwxrwxrwx. 1 pkiuser pkiuser 32 13.12. 08:53 jasper.jar ->
/usr/share/tomcat/lib/jasper.jar
lrwxrwxrwx. 1 pkiuser pkiuser 36 13.12. 08:53 jasper-jdt.jar ->
/usr/share/tomcat/lib/jasper-jdt.jar
lrwxrwxrwx. 1 pkiuser pkiuser 31 13.12. 08:53 log4j.jar ->
/usr/share/tomcat/lib/log4j.jar
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 log4j.properties ->
/usr/share/pki/server/conf/log4j.properties
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 tomcat7-websocket.jar ->
/usr/share/tomcat/lib/tomcat7-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser 36 13.12. 08:53 tomcat-api.jar ->
/usr/share/tomcat/lib/tomcat-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 39 13.12. 08:53 tomcat-coyote.jar ->
/usr/share/tomcat/lib/tomcat-coyote.jar
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 tomcat-el-2.2-api.jar ->
/usr/share/tomcat/lib/tomcat-el-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-es.jar ->
/usr/share/tomcat/lib/tomcat-i18n-es.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-fr.jar ->
/usr/share/tomcat/lib/tomcat-i18n-fr.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-ja.jar ->
/usr/share/tomcat/lib/tomcat-i18n-ja.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-jdbc.jar ->
/usr/share/tomcat/lib/tomcat-jdbc.jar
lrwxrwxrwx. 1 pkiuser pkiuser 44 13.12. 08:53 tomcat-jsp-2.2-api.jar ->
/usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-juli.jar ->
/usr/share/tomcat/lib/tomcat-juli.jar
lrwxrwxrwx. 1 pkiuser pkiuser 48 13.12. 08:53 tomcat-servlet-3.0-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-util.jar ->
/usr/share/tomcat/lib/tomcat-util.jar
lrwxrwxrwx. 1 pkiuser pkiuser 39 13.12. 08:53 websocket-api.jar ->
/usr/share/tomcat/lib/websocket-api.jar
---------------------------------------------------------------
---------------------------------------------------------------
# grep -v '^#' /var/lib/pki/pki-tomcat/lib/log4j.properties
log4j.appender.console = org.apache.log4j.ConsoleAppender
log4j.appender.console.Target = System.err
log4j.appender.console.layout = org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern = %p: %m%n
log4j.rootLogger = WARN, console
---------------------------------------------------------------
According to pki-server-logging man page:
--------------------------------------
Log4j
The default Tomcat 7 classpath does include Log4j, but
the server itself is not configured to use Log4j for logging by
default. However, since the Log4j is in the classpath the
RESTEasy will use Log4j for logging automatically (see
https://docs.jboss.org/resteasy/docs/3.0.6.Final/userguide/html/Installat...).
The default Log4j configuration is located at
/usr/share/pki/server/conf/log4j.properties. During server
deployment a link will be created at
/var/lib/pki/<instance>/lib/log4j.properties.
By default only log messages with level WARN or higher will be
logged on the console (i.e. systemd journal).
log4j.appender.console = org.apache.log4j.ConsoleAppender
log4j.appender.console.Target = System.err
log4j.appender.console.layout = org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern = %p: %m%n
log4j.rootLogger = WARN, console
The default Tomcat 8 classpath does not include Log4j, so RESTEasy will use JUL
instead.
For more information see the following documents:
-
http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/ConsoleAppen...
- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/Level.html
- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PatternLayou...
--------------------------------------
So the easest way to mitigate log4j usage is to remove log4j.properties
symlink in the instance directory to avoid loading log4j by tomcat and
RESTEasy.
Ok, that does not really help as log4j is present on the system path as
well.
For RHEL 7 what happens is that log4j 1.2.17 not affected unless the
deployed application is configured to use JMSAppender which is not
the case. So even if log4j is in the configuration, an automatic
use of JMSAppender is not present yet in that version and cannot
be triggered to pick up JNDI reflection. In addition, JNDI is not a part
of log4j 1.2.17 package.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
864
days inactive
865
days old
freeipa-users@lists.fedorahosted.org
7 comments
5 participants
participants (5)
-
Alexander Bokovoy -
Christophe Trefois -
GAURAV Pande -
Markus Krause -
Sam Morris