Umesh Parab Posted December 11, 2021 Share Posted December 11, 2021 LogicMonitor collectors running vulnerable version of Log4j are affected by "Log4shell" CVE-2021-44228 vulnerability? If no, can you please explain how? 1 Quote Link to comment Share on other sites More sharing options...
1 LogicMonitor Staff Michael Rodrigues Posted December 13, 2021 LogicMonitor Staff Share Posted December 13, 2021 Hey everyone, here's an official communication you can pass on to customers, clients, stakeholders, etc. about what's going on with LM and the Log4shell vulnerability:https://www.logicmonitor.com/support/log4shell-security-vulnerability-cve-2021-44228 It goes over the details and how to confirm that your collectors are safe. We will update this document as things progress. 1 Quote Link to comment Share on other sites More sharing options...
0 Manish Arora Posted December 12, 2021 Share Posted December 12, 2021 Pls find the recent update: At this time the Log4Shell mitigation has already been released to the LM platform and each Collector will have automatically updated its configuration file to incorporate the fix on Saturday, Dec 11th. Because each Collector restarts itself on a daily cadence, the updated configuration will automatically take effect on all Collectors no later than Sunday, Dec 12th. No updates to the Collector software are required to enable the Log4Shell mitigation and no manual intervention is required. Hope this helps!!! 1 Quote Link to comment Share on other sites More sharing options...
0 Dennis Huynh Posted December 13, 2021 Share Posted December 13, 2021 Can you advise where the configuration are enabled/updated/disabled to confirm the mitigation has been implemented? Quote Link to comment Share on other sites More sharing options...
0 Maurice Harnett Posted December 13, 2021 Share Posted December 13, 2021 Is there any update on this? How can we confirm whether the collector version we're running contains the mitigation? Quote Link to comment Share on other sites More sharing options...
0 Mosh Posted December 13, 2021 Share Posted December 13, 2021 14 hours ago, Manish Arora said: Pls find the recent update: At this time the Log4Shell mitigation has already been released to the LM platform and each Collector will have automatically updated its configuration file to incorporate the fix on Saturday, Dec 11th. Because each Collector restarts itself on a daily cadence, the updated configuration will automatically take effect on all Collectors no later than Sunday, Dec 12th. No updates to the Collector software are required to enable the Log4Shell mitigation and no manual intervention is required. Hope this helps!!! Hi Manish, Where was that posted? Quote Link to comment Share on other sites More sharing options...
0 Phil123 Posted December 13, 2021 Share Posted December 13, 2021 I spoke to our Customer Success Manager just now and they have provided me the following information, this doesn't seem to be posted anywhere but this came directly from our CSM and provides a little more information. Hope this helps! LogicMonitor has evaluated our exposure to the Log4Shell vulnerability and determined that the LM SaaS platform is not affected. We are aware that some versions of the LM Collector include a defective version of log4j, but its architecture has been purposely designed to mitigate such vulnerabilities. However, out of an abundance of caution, we have developed a mitigation to the Log4Shell exposure and automatically deployed the fix to all Collectors. Instead of updating the Collector software itself, we were able to address the issue by updating the Collector configuration files. On Dec 11th, all Collectors automatically updated their configuration files to include a directive -Dlog4j2.formatMsgNoLookups=true which neutralizes the Log4Shell attack vector. Because Collectors restart themselves on a 24-hour cadence, the updated configuration will have been applied to each Collector by Dec 12th. If you want to verify with positive confirmation, you can check your Collectors’ wrapper.conf, watchdog.conf, and websites.conf/services.conf files for the above configuration directive. Also, each Collector that has been updated will include a line in its event log indicating Watchdog restarted by AddLog4jPropertyForWatchdog health check script. 2 Quote Link to comment Share on other sites More sharing options...
0 Stefan W Posted December 13, 2021 Share Posted December 13, 2021 That was from a pop-up that appeared in the portal yesterday. Quote Link to comment Share on other sites More sharing options...
0 Guest Stuart Weenig Posted December 13, 2021 Share Posted December 13, 2021 Yes, the above pop up should have appeared the first time an administrator logged in after Saturday: Quote On Dec 9th, 2021, various cybersecurity organizations began reporting that a critical-severity vulnerability has been discovered in an application logging component known as “log4j” which is widely used in Java-based applications. LogicMonitor has evaluated our exposure to the Log4Shell vulnerability and determined that the LM SaaS platform is not affected. We are aware that some versions of the LM Collector include a defective version of log4j, but its architecture has been purposely designed to mitigate such vulnerabilities. However, out of an abundance of caution, we have developed a mitigation strategy for this vulnerability that will definitively prevent exposure. At this time the Log4Shell mitigation has already been released to the LM platform and each Collector will have automatically updated its configuration file to incorporate the fix on Saturday, Dec 11th. Because each Collector restarts itself on a daily cadence, the updated configuration will automatically take effect on all Collectors no later than Sunday, Dec 12th. No updates to the Collector software are required to enable the Log4Shell mitigation and no manual intervention is required. Please reach out to LogicMonitor Technical Support or your Customer Success Manager if you have any questions or concerns. Quote Link to comment Share on other sites More sharing options...
0 Steve the IT Guy Posted December 13, 2021 Share Posted December 13, 2021 13 hours ago, Dennis Huynh said: Can you advise where the configuration are enabled/updated/disabled to confirm the mitigation has been implemented? To confirm the configuration update, look in C:\Program Files (x86)\LogicMonitor\Agent\Conf\watchdog.conf for "-Dlog4j2.formatMsgNoLookups=true" 1 Quote Link to comment Share on other sites More sharing options...
0 DanB Posted December 13, 2021 Share Posted December 13, 2021 Is there something that LM will release more official that we can share with our clients. I've been asked many times today if we can delete these files or uninstall LM Collectors b/c these boxes are still turning up as still 'venerable' by this vulnerability scans. Quote Link to comment Share on other sites More sharing options...
0 Guest Stuart Weenig Posted December 13, 2021 Share Posted December 13, 2021 Haha, 'venerable' is a good thing. "Vulnerable" is not. Official notice should be coming out some time this week. Quote Link to comment Share on other sites More sharing options...
0 Dennis Huynh Posted December 13, 2021 Share Posted December 13, 2021 2 hours ago, Steve the IT Guy said: To confirm the configuration update, look in C:\Program Files (x86)\LogicMonitor\Agent\Conf\watchdog.conf for "-Dlog4j2.formatMsgNoLookups=true" Thanks! Quote Link to comment Share on other sites More sharing options...
0 Nathan Abbott Posted December 14, 2021 Share Posted December 14, 2021 Just curious when a patch will be released that does not contain a vulnerable version? A mitigation is not the same as having fully patched and up-to-date software. A mitigation is more of a stop-gap measure until an update to the most recent non-vulnerable version can be deployed. 1 Quote Link to comment Share on other sites More sharing options...
0 Guest Stuart Weenig Posted December 15, 2021 Share Posted December 15, 2021 I believe this is the highest priority activity for us right now. It should drop soon; i believe the decision has been to remove it entirely since it's not being used anyway. I understood log4j to be included in the Collector but not actually used in any capacity. Most vulnerability scanners can detect whether or not log4j is present, but not if the vulnerability can actually be exploited. So while the current version of the Collector may show up as containing log4j, that doesn't necessarily mean that the vulnerability exists and can be exploited. To be clear, a new collector version will be the third method of protecting against any log4j exploitation on the Collectors. The second is the configuration change that was already pushed out; the first is the fact that log4j isn't actively used by any of the Collector components. Quote Link to comment Share on other sites More sharing options...
0 FrankG Posted December 15, 2021 Share Posted December 15, 2021 There are end customers of ours disabling Collectors due to this issue. Any chance that a patch will become available with the updated log4j libraries in it? Quote Link to comment Share on other sites More sharing options...
0 FrankG Posted December 15, 2021 Share Posted December 15, 2021 Or the removal of the log4j libraries (as you mention in another post)? Quote Link to comment Share on other sites More sharing options...
0 LogicMonitor Staff Michael Rodrigues Posted December 15, 2021 LogicMonitor Staff Share Posted December 15, 2021 We're working on a patched version of the collector with updated log4j, it's scheduled to drop soon. Official communication is here and will be updated as we know more. Quote Link to comment Share on other sites More sharing options...
0 FrankG Posted December 16, 2021 Share Posted December 16, 2021 Thanks @Michael Quote Link to comment Share on other sites More sharing options...
0 Mosh Posted December 16, 2021 Share Posted December 16, 2021 Thanks @Michael Rodrigues. We would much prefer that LogicMonitor updates the log4J libs in the collectors to 2.16 minimum as there are also vulnerabilities in 2.15. Quote Link to comment Share on other sites More sharing options...
0 LogicMonitor Staff Michael Rodrigues Posted December 16, 2021 LogicMonitor Staff Share Posted December 16, 2021 GD 31.001 is now available in portals. It has log4j 2.16 to mitigate the log4shell vulnerabilities. We'll continue to update our official communication as things progress: https://www.logicmonitor.com/support/log4shell-security-vulnerability-cve-2021-44228 Thanks for your patience! 1 Quote Link to comment Share on other sites More sharing options...
0 Mosh Posted December 20, 2021 Share Posted December 20, 2021 (edited) @Michael Rodrigues@Stuart Weenig For info, Log4J 2.16 also have a exploitable vulnerability:https://nvd.nist.gov/vuln/detail/CVE-2021-45105https://logging.apache.org/log4j/2.x/security.html We are upgrading all of our own enterprise products to use 2.17. Will LogicMonitor be upgrading to 2.17? Edited December 20, 2021 by Mosh Added a link 3 Quote Link to comment Share on other sites More sharing options...
0 nolimit99rbs Posted December 20, 2021 Share Posted December 20, 2021 4 hours ago, Mosh said: @Michael Rodrigues@Stuart Weenig For info, Log4J 2.16 also have a exploitable vulnerability:https://nvd.nist.gov/vuln/detail/CVE-2021-45105https://logging.apache.org/log4j/2.x/security.html We are upgrading all of our own enterprise products to use 2.17. Will LogicMonitor be upgrading to 2.17? 2nd this. Though the vulnerability is less severe, does LogicMonitor plan to update to 2.17 given the high visibility of these vulnerabilities? If so, when can we expect an updated collector? Thank you Quote Link to comment Share on other sites More sharing options...
0 Mike Moniz Posted December 21, 2021 Share Posted December 21, 2021 Looks like LM just released 31.002 with Log4J 2.17, https://www.logicmonitor.com/support/gd-collector-31002 Quote Link to comment Share on other sites More sharing options...
0 alan Posted December 22, 2021 Share Posted December 22, 2021 Has anyone been able to confirm log4j has updated to 2.17? Linux collectors on 31.002 are still showing 2.13 jars. Quote Link to comment Share on other sites More sharing options...
0 Mosh Posted December 22, 2021 Share Posted December 22, 2021 29 minutes ago, alan said: Has anyone been able to confirm log4j has updated to 2.17? Linux collectors on 31.002 are still showing 2.13 jars. Hi @alan, where are you seeing JARs for 2.13? Quote Link to comment Share on other sites More sharing options...
Question
Umesh Parab
LogicMonitor collectors running vulnerable version of Log4j are affected by "Log4shell" CVE-2021-44228 vulnerability?
If no, can you please explain how?
Link to comment
Share on other sites
29 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.