Versions Compared

Old Version 12

changes.mady.by.user Gerben Boot

Saved on

compared with

New Version Current

changes.mady.by.user Camiel van Breugel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Updated: 22/12/20216th of January 2022

Statement

Friday, 10 December 2021, our OWASP-scan alerted us to a vulnerability in Log4J, a commonly used open-source library for java applications. https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Analysis Delft-FEWS

...

components and Log4Shell vulnerability CVE-2021-44228.

Worldwide, many java-based applications suffer from the Log4Shell vulnerability CVE-2021-44228. This is caused by a vulnerability in a log4j2 library. The log4j-core-2.11.1.jar is also shipped with the Delft-FEWS software in the 2018.02 - 2021.02 releases. Our users are right in demanding clarity of Deltares whether Delft-FEWS is impacted.  Here is our summary of our analysis on the Delft-FEWS software. 

  • The Open Archive, in particular the  ElasticSearch and Thredds components with java 8 are vulnerable
  • Delft-FEWS 2018.02 and later are NOT vulnerablesince the vulnerable method (JNDI lookup) is not executed/executable/runnable from Delft-FEWS.
  • Some of the model adapters maintained by Deltares are using Log4j2 but they also do not use the vulnerable class (JNDI lookup) nor are they 'open to the outside world' and therefore they are NOT vulnerable either.
  • Tomcat can only be vulnerable when the applications deployed are vulnerable. The Admin Interface, Webservices, Database Proxy are NOT vulnerable.
  • Older Delft-FEWS versions (2017.02 and before) are NOT vulnerable for CVE-2021-44228 since log4j version 1.x is used. The log4j 1 version does not have the vulnerable JNDI lookup class but can be vulnerable because of CVE-2021-4104 when someone maliciously configures the JMS appender.
  • Deltares supports at maximum 5 versions.  If still on 2017.02 or before it is strongly recommended to upgrade to a supported version.
  • JdbcAppenders as in CVE-2021-44832 are also not  executed/executable/runnable from Delft-FEWS.

While Delft-FEWS as such is not directly vulnerable, we do expect virus / security scanners to flag the log4j2 components. We therefore offer updated versions where log4j2 2.11.1 has been replaced with log4j 2.17.

The following fixes and updates are available for Delft-FEWS Stable versions 2019.02 - 2020.01 - 2020.02 - 2021.01 (and release candidate 2021.02) :

  • Fixed versions of Elastic Search and Thredds in Open Archive distributions. 
  • Updated distributions (for: Master Controller, Operator Client/Forecasting Shell Server, Admin Interface, Delft-FEWS Webservices, Database proxy) with log4j 2.17 .
  • Updated distributions for model adapters maintained by Delft-FEWS using log4j 2.*

...

This means that all supported Delft-FEWS versions from 2018.02 and up are NOT directly affected by the vulnerability in Log4J.

We realize that this security issue leads to general concerns. From a Delft-FEWS perspective there is no immediate threat, but we will highlight the no-regret measures that you can implement on the short term. Furthermore, we will share our follow-up plans for upgrading to a higher version of Log4J.

Delft-FEWS Product Management

More technical details

Delft-FEWS versions 2018.02 and higher

Delft-FEWS and its components are using Log4j 2.11.1. This is true for the Operator Client, Forecasting Shell Server, Master Controller, Delft-FEWS Webservices, Admin Interface, Database proxy, Open Archive (including Elastic Search). As mentioned, the suspicious method call is replaced in the Delft-FEWS code with our own implementation. The method called 'PatternLayout' is the problem in Log4j and our code uses its own implementation called 'FastLayout' preventing the malicious JNDI lookup from being used.

Apache's guidance

...

We would like to stress that this class-removal is NOT necessary and we strongly recommend to wait for the updated Delft-FEWS base-builds of your version in use which are to be distributed soon.

Older Delft-FEWS versions (2017.02, 2017.01, 2016.02...)

Although not supported anymore, we are aware that some older Delft-FEWS versions are in use. 

All older Delft-FEWS versions before 2018.02 use log4j version 1.x. which does not contain the vulnerable class (JNDI lookup). Also the JMSAppender is not used. See Apache's statement around Log4j v1.x https://logging.apache.org/log4j/2.x/security.html

Log4j version 1.x is end-of-life, so we strongly recommend to upgrade to a supported version of Delft-FEWS (at least 2018.02 but preferably higher)

Model adapters (maintained by Deltares)

Model adapters may use the log4j 2 libraries as well. For Deltares maintained model adapter code, the vulnerable class (JNDI lookup) is NOT implemented in these adapters, nor are any methods set 'open to the outside world'. 

Where applicable, Deltares has upgraded the log4j libraries to version 2.17 and model adapter packages are distributed on request as part of the mitigation plan (see below).

...

  • : HEC-HMS, Kanali, Ribasim, SMAP, SWAN, SWMM and WANDA. The Delft3D model adapter is part of the Delft-FEWS code so this one is automatically part of the

...

  • updated distributions.

Remark: an updated distribution for Delft-FEWS 2018.02 will be made available a.s.a.p.

For more information how to obtain new distributions, please contact fews.support@deltares.nl and visit the installation instruction page (wiki login required)

All other model adapters we are aware of do not use Log4j version 2.x (but log4j 1.x so they are not affected). Upgrading these model adapters to the latest Log4j library means a lot more work and will be considered early 2022.

Current mitigation plan: Log4j Upgrade to 2.17: New basebuilds will be made available for all supported Delft-FEWS versions

Another vulnerability was fixed in a newly released version of Log4j. For all supported Delft-FEWS versions (2019.02 and higher) a new base-build and patch will be made available, using Log4J version 2.17.

The earlier mentioned base-build with version 2.15 will not be released. With the new base build and patch installed the scanning tools will not be flagging Log4j anymore.

New packages of the Master Controller, Admin Interface, OC/FSS binaries, Delft-FEWS Webservices, ArchiveServer (including updated versions of ElasticSearch and Thredds) for all supported Delft-FEWS versions are in the making.

The same is true for the latest versions of model adapters maintained by Deltares.

If you/your organisation would like to receive the updated base-build/patch of your version, let us know! Please, send an e-mail to fews.support@deltares.nl

If you have any other questions concerning the above, do not hesitate to contact us.

A special instructions page has been created once you have downloaded the Delft-FEWS package of your version. These packages will be provided on request by our Delft-FEWS Support desk.

Delft-FEWS Product Management