LogicMonitor collectors running vulnerable version of Log4j are affected by "Log4shell" CVE-2021-44228 vulnerability?

Mosh
Professor
3 years ago
@Michael Rodrigues @Stuart Weenig

For info, Log4J 2.16 also have a exploitable vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2021-45105
https://logging.apache.org/log4j/2.x/security.html

We are upgrading all of our own enterprise products to use 2.17. Will LogicMonitor be upgrading to 2.17?
Phil123
3 years ago
I spoke to our Customer Success Manager just now and they have provided me the following information, this doesn't seem to be posted anywhere but this came directly from our CSM and provides a little more information. Hope this helps!

LogicMonitor has evaluated our exposure to the Log4Shell vulnerability and determined that the LM SaaS platform is not affected. We are aware that some versions of the LM Collector include a defective version of log4j, but its architecture has been purposely designed to mitigate such vulnerabilities.

However, out of an abundance of caution, we have developed a mitigation to the Log4Shell exposure and automatically deployed the fix to all Collectors. Instead of updating the Collector software itself, we were able to address the issue by updating the Collector configuration files.

On Dec 11th, all Collectors automatically updated their configuration files to include a directive -Dlog4j2.formatMsgNoLookups=true which neutralizes the Log4Shell attack vector. Because Collectors restart themselves on a 24-hour cadence, the updated configuration will have been applied to each Collector by Dec 12th.
If you want to verify with positive confirmation, you can check your Collectors’ wrapper.conf, watchdog.conf, and websites.conf/services.conf files for the above configuration directive. Also, each Collector that has been updated will include a line in its event log indicating Watchdog restarted by AddLog4jPropertyForWatchdog health check script.
Manish_Arora
Neophyte
3 years ago
Pls find the recent update:

At this time the Log4Shell mitigation has already been released to the LM platform and each Collector will have automatically updated its configuration file to incorporate the fix on Saturday, Dec 11th. Because each Collector restarts itself on a daily cadence, the updated configuration will automatically take effect on all Collectors no later than Sunday, Dec 12th.

No updates to the Collector software are required to enable the Log4Shell mitigation and no manual intervention is required.

Hope this helps!!!
Steve_the_IT_Gu
3 years ago

13 hours ago, Dennis Huynh said:

Can you advise where the configuration are enabled/updated/disabled to confirm the mitigation has been implemented?

To confirm the configuration update, look in C:\Program Files (x86)\LogicMonitor\Agent\Conf\watchdog.conf for "-Dlog4j2.formatMsgNoLookups=true"
Mike_Rodrigues
Product Manager
3 years ago
Hey everyone, here's an official communication you can pass on to customers, clients, stakeholders, etc. about what's going on with LM and the Log4shell vulnerability:

https://www.logicmonitor.com/support/log4shell-security-vulnerability-cve-2021-44228

It goes over the details and how to confirm that your collectors are safe. We will update this document as things progress.
Nathan_Abbott
3 years ago
Just curious when a patch will be released that does not contain a vulnerable version? A mitigation is not the same as having fully patched and up-to-date software. A mitigation is more of a stop-gap measure until an update to the most recent non-vulnerable version can be deployed.
Mike_Rodrigues
Product Manager
3 years ago
GD 31.001 is now available in portals. It has log4j 2.16 to mitigate the log4shell vulnerabilities.

We'll continue to update our official communication as things progress: https://www.logicmonitor.com/support/log4shell-security-vulnerability-cve-2021-44228

Thanks for your patience!
Dennis_Huynh
3 years ago
Can you advise where the configuration are enabled/updated/disabled to confirm the mitigation has been implemented?
Maurice_Harnett
3 years ago
Is there any update on this? How can we confirm whether the collector version we're running contains the mitigation?
Mosh
Professor
3 years ago

14 hours ago, Manish Arora said:

Pls find the recent update:

At this time the Log4Shell mitigation has already been released to the LM platform and each Collector will have automatically updated its configuration file to incorporate the fix on Saturday, Dec 11th. Because each Collector restarts itself on a daily cadence, the updated configuration will automatically take effect on all Collectors no later than Sunday, Dec 12th.

No updates to the Collector software are required to enable the Log4Shell mitigation and no manual intervention is required.

Hope this helps!!!

Hi Manish,

Where was that posted?