CVE-2021-44228 and Jitsi components

acruz · December 11, 2021, 4:32pm

Another question, a sign of exploitation would be a log like this:

2021-12-10 17:14:56,207 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]

That was taken from this blog: Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package | LunaSec

damencho · December 11, 2021, 6:03pm

We are not sure, how easy it is. Personally, looking at the callstats logs, I do not see any information coming from clients to be printed. This is my assumption, and we worked yesterday on the issue without any assumptions, so we can protect everybody 100%.

acruz · December 11, 2021, 7:06pm

Thank you so much for the quick reply! And also thank you for your work remediating this vulnerability.

kovacs-andras · December 15, 2021, 10:26am

Dear Team,
Have you seen the next CVE related to log4j v2?
Second Log4j Vulnerability (CVE-2021-45046)
Could we expect an another update soon?
Many thanks!

comunelevico · December 15, 2021, 6:52pm

I used this as a workaround:

zip -q -d /usr/share/jitsi-videobridge/lib/log4j-core-2.*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

to remove Jndilookup.class from any log4j-core-2.*.jar file

Then restart the server.

Note: The log4j version 2.15, distributed with jitsi, is vulnerabile.

Boris_Grozev · December 15, 2021, 10:49pm

Hi,

CVE-2021-45046 does not affect the jitsi components, because they don’t use any of the related features in PatternLayout (jvb, jigasi). We’re in the process of updating to 2.16.0 in any case.

comunelevico · December 16, 2021, 7:08am

@Boris_Grozev , thank you.

sebastianhaberey · December 21, 2021, 4:13pm

Are callstats enabled by default in a standard installation (i.e. following the self-hosting guide)? Also, where can I verify if callstats are enabled in my installation for jigasi / jitsi-videobridge respectively?

damencho · December 21, 2021, 6:33pm

No, in order to enable it you need to create an account on callstats and it is paid service for monitoring webrtc calls.

Buliwif · December 22, 2021, 11:17am

Hi,
I’m sure you’re focused on the log4j problem which occupies us all at the moment.
I see that my jitsi instance is now on 2.15 but the latest recommandation is to update on 2.17.

Is there a roadmap about that ?

damencho · December 22, 2021, 1:36pm

Log4j was removed from the dependencies chore: Remove all use of log4j. by bgrozev · Pull Request #1786 · jitsi/jitsi-videobridge · GitHub
If you want, you can update to the latest from unstable.

nirgal · December 23, 2021, 10:19am

I’m using the Debian-like packages, and log4l is still not fixed there!
Is the fix scheduled there soon?

And more importantly, is there a plan to make a proper Debian package? Having an embedded copy of log4j in videobidge is really bad practice. The Debian packages liblog4j* have been fixed almost immediately upon CVE disclosure. Videobridge really should use this, rather than ship its own copy, which is not updated!

damencho · December 23, 2021, 12:48pm

Yep, log4j was dropped in jvb in latest packages. You can update to unstable if you need it.
The source code repo is not shipping the lib, but is using the maven repo, this cannot happen for binary packages though. As we ship reproducible builds, with all dependencies. For reproducible builds you cannot download different library versions between runs.

TimWebb · January 3, 2022, 6:53pm

@damencho, do you have a timing estimate on when a stable version is estimated to be released? I see the last unstable version appears to be built on Dec 28th. We have issues with security compliance not allowing log4j 2.15 or 2.16 to be used and they are not pleased about an unstable version as a workaround. Thanks kindly and appreciate all the hard work to dig out from this mess!

damencho · January 5, 2022, 5:58pm

There is no ETA at the moment, normally after meet.jit.si release we do that. Probably we will do one in the following weeks.
The latest stable is safe with all the issues. The new release will just remove log4j completely.
If you are not using callstats, a temporary workaround will be to just delete log4j binary from /usr/share and run it like that, I think that should work.

ivazal · January 11, 2022, 12:10pm

@damencho I think you mean “If you are using callstats…”, isn’t it?

saghul · January 11, 2022, 12:31pm

No. If you AREN’T using callstats, then it’s safe to delete because it’s unused. The dependency will be gone altogether in the next stable update.

ivazal · January 11, 2022, 1:21pm

OK, understood, thanks, @saghul

jiwo · January 17, 2022, 4:53pm

Sorry for being obtuse

But if I am not using callstats - why do I need to remove log4j? I understood that Jitsi is only affected, if I do use callstats…

damencho · January 17, 2022, 5:03pm

You don’t need to. Some users are using tools for scanning files on system, and even if that is not used those are being flagged …
We will push new stable today or tomorrow that completely removes the log4j.