Vulnerability in logging library for Apache version 2.7

[HafeezQ]

Hi

Im from BMW partner support -

We are using APISEC for authentication

we found vulnerability reported for log4j 2 apache file . See the below log for reference.

https://www.randori.com/blog/cve-2021-44228/

RandoriRandori
CVE-2021-44228 - Log4j 2 Vulnerability Analysis - Randori Attack Team
CVE-2021-44228 is a high severity vulnerability impacting Apache Log4j 2. Randori has developed a working exploit and provided a technical analysis

Please provide your advisory on this vulnerability , open a case for reference and provide a work around,

Thank you
Hafeez Qureshi
[email protected]

[ewanharris]

@HafeezQ, I don't think you're asking about Titanium here based on your Ti-Slack posts. if this is about an Axway product you should reach out to support via support.axway.com or email support at axway.com.

For Titanium however, I believe log4j is used to pickup @Kroll annotations, (based on Josh's comment in Ti-Slack) and is not included in the built app. It does seem like log4j is vulnerable (to this and other things), but I'm not sure if the usage of the library exposes the attack vector here

@jquick-axway @garymathews should we still look to upgrade the log4j version to 2.x?

[jquick-axway]

@HafeezQ , Titanium does not include the log4j in your app (ie: your APK or ABB). Titanium only uses log4j when doing Java annotation processing for @Kroll when building the Titanium SDK or native module.
https://github.com/appcelerator/titanium_mobile/blob/master/android/kroll-apt/build.gradle#L77
https://github.com/appcelerator/titanium_mobile/blob/master/android/kroll-apt/src/main/java/org/appcelerator/kroll/annotations/generator/KrollBindingGenerator.java#L23-L25

---

You can check for log4j library usage within your APK by doing the following:

1. Build your app with Titanium.
2. Terminal: CD ./<YourAppProject>/build/android
3. Terminal: ./gradlew :app:dependencies
4. The above will output the entire library dependency tree of your app, include the libraries each library depends on.
5. Search for log4j.

We removed all Apache libraries from Titanium and our modules a couple years ago. So, you won't find any usage of log4j from us. If you do find log4j in the above output, then it's likely to be coming from a 3rd party module in which case that module needs to be corrected. The outputted dependency tree will tell you which module the issue is coming from.

Alternatively, you can check for the log4j Java class compiled into the APK's dex libraries as follows. The above lists the AARs being used, but will not reveal the local JARs being used. So, the below procedure reveals everything, but won't tell you which library is including it.

1. Terminal: unzip <PathToYourApk>
2. Notice the classes*.dex files that were unzipped. These are Android's JAR library equivalents.
3. Terminal: CD ~/Library/Android/sdk/build-tools/<version (I'm using version 31.0.0.)
4. Terminal: ./dexdump <PathToUnzippedClassesDex> | grep 'Class descriptor'
5. "dexdump" will list all Java classes included in the *.dex library. Search for log4j. Do this for each "classes.dex" file you have.

[m1ga]

Thanks for the detailed explanation 👍

#13208
so scanners/people won't find the old version and try to test against it 😄

[jquick-axway]

@m1ga , I think we can remove log4j. In Titanium 9.0.0, I changed the annotation processor to log via stdout/stderr to make it more gradle friendly. So, I don't think we even use log4j anymore. It's dead code... unless our "simple JSON" library uses it.

[m1ga]

I didn't even know what to look for in the output or what it should log 😄
Removing it is always a better option when it is not needed