Log4j exposure/Mitigation?

To what extent are the videobridge and its components exposed to the log4j zero day exploit?

Is there any advice on mitigation/config?

Such as?
-Dlog4j2.formatMsgNoLookups=true

Perhaps adding this property to the log4j2.xml in /etc/jitsi/videobridge would be good enough?

A fast mitigation is to add -Dlog4j2.formatMsgNoLookups=true to the JVM args. This would potentially affect JVB, Jicofo, Jibri, Jigasi, but an attacker would have to find a way to control the log message (which is probably achievable). The easiest attack vector (the LDAP one) is not possible if you are using an up-to-date JVM.

Perhaps this indicates that the config isn’t being used?

jitsi/videobridge/log4j2.xml:-Dlog4j.configurationFile=config/log4j2.xml has to be used in VM args, I’ll try adding that to the JVM args.

Any idea where the best way would be to do that from a standard installation of the debian packages?

Alright, confirmed that I can add it into:

/usr/share/jitsi-videobridge/jvb.sh

directly on the line that launches the videobridge,

and in /usr/share/jicofo/jicofo.sh

I think this probably is the best short term solution.

From the jitsi folks:

Only callstats is afflicted with log4j, and the only potential exploit would be if callstats is enabled and being used for your bridge.

3 Likes

Thanks for keeping the community posted

2 Likes

Thank you for keeping us informed of the news.

Cheers

1 Like
2 Likes

Hey @damencho

What about Jibri?

It doesn’t use log4j.
For our projects, the log4j is a transitive dependency coming from callstats-java which runtime is only used in jvb and jigasi.

To anyone using -Dlog4j2.formatMsgNoLookups=true in order to patch legacy infra as suggested here earlier, that may no longer be viable:

You may still be vulnerable to Log4Shell (RCE) if you only enabled the noMsgFormatLookups

The latest stable jitsi release lays down /usr/share/jitsi-videobridge/lib/log4j-core-2.15.0.jar, and removes /usr/share/jitsi-videobridge/lib/log4j-core-2.13.2.jar, which according to the original CVE doesn’t enable the afflicted feature by default.

Does anyone know if its going to be updated to 2.16.0 any time soon? Even if the noMsgFormatLookups is disabled our vuln-scanning is flagging the machine.

Second Log4j vulnerability discovered, patch already released | ZDNet

1 Like

Having the same question here. We are running version 2.1-595-g3637fda4-1 and received security finding for /usr/share/jitsi-videobridge/lib/log4j-core-2.15.0.jar

@damencho is there any future release awaiting that comes with log4j version >= 2.16?

Thanks!

Check out this CVE-2021-44228 and Jitsi components - #12 by Boris_Grozev
The next stable will be with no log4j dependency, if you still want to update before that hits stable you can update from the unstable repo.