Updated: 6th of January 2022

Statement

Last Friday, 10 December 2021, our OWASP-scan and many Delft-FEWS users alerted us to a vulnerability in Log4J, a commonly used open-source library for java applications. https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Analysis Delft-FEWS

...

components and Log4Shell vulnerability CVE-2021-44228.

Worldwide, many java-based applications suffer from the Log4Shell vulnerability CVE-2021-44228. This is caused by a vulnerability in a log4j2 library. The log4j-core-2.11.1.jar is also shipped with the Delft-FEWS software in the 2018.02 - 2021.02 releases. Our users are right in demanding clarity of Deltares whether Delft-FEWS is impacted.  Here is our summary of our analysis on the Delft-FEWS software. 

• The Open Archive, in particular the  ElasticSearch and Thredds components with java 8 are vulnerable. 
• Delft-FEWS 2018.02 and later are NOT vulnerablesince the vulnerable method (JNDI lookup) is not executed/executable/runnable from Delft-FEWS.
• Some of the model adapters maintained by Deltares are using Log4j2 but they also do not use the vulnerable class (JNDI lookup) nor are they 'open to the outside world' and therefore they are NOT vulnerable either.
• Tomcat can only be vulnerable when the applications deployed are vulnerable. The Admin Interface, Webservices, Database Proxy are NOT vulnerable.
• Older Delft-FEWS versions (2017.02 and before) are NOT vulnerable for CVE-2021-44228 since log4j version 1.x is used. The log4j 1 version does not have the vulnerable JNDI lookup class but can be vulnerable because of CVE-2021-4104 when someone maliciously configures the JMS appender.
• Deltares supports at maximum 5 versions.  If still on 2017.02 or before it is strongly recommended to upgrade to a supported version.
• JdbcAppenders as in CVE-2021-44832 are also not  executed/executable/runnable from Delft-FEWS.

While Delft-FEWS as such is not directly vulnerable, we do expect virus / security scanners to flag the log4j2 components. We therefore offer updated versions where log4j2 2.11.1 has been replaced with log4j 2.17.

The following fixes and updates are available for Delft-FEWS Stable versions 2019.02 - 2020.01 - 2020.02 - 2021.01 (and release candidate 2021.02) :

• Fixed versions of Elastic Search and Thredds in Open Archive distributions. 
• Updated distributions (for: Master Controller, Operator Client/Forecasting Shell Server, Admin Interface, Delft-FEWS Webservices, Database proxy) with log4j 2.17 .
• Updated distributions for model adapters maintained by Delft-FEWS using log4j 2.*: HEC-HMS, Kanali, Ribasim, SMAP, SWAN, SWMM and WANDA. The Delft3D model adapter is part of the Delft-FEWS code so this one is automatically part of the updated distributions.

Remark: an updated distribution for Delft-FEWS 2018.02 will be made available a.s.a.p.

For more information how to obtain new distributions, please contact fews.support@deltares.nl and visit the installation instruction page (wiki login required).

Delft-FEWS Product Management

This means that all supported Delft-FEWS versions from 2018.02 and up are NOT directly affected by the vulnerability in Log4J.

We realize that this security issue leads to general concerns. From a Delft-FEWS perspective there is no immediate threat, but we will highlight the no-regret measures that you can implement on the short term. Furthermore, we will share our follow-up plans for upgrading to a higher version of Log4J.

Delft-FEWS Product Management
13th of December 2021

More technical details

Delft-FEWS and its components are using Log4j 2.11.1. This is true for the Operator Client, Forecasting Shell Server, Master Controller, Delft-FEWS Webservices, Admin Interface, Database proxy, Open Archive (including Elastic Search). As mentioned, the suspicious method call is replaced in the Delft-FEWS code with our own implementation. The method called 'PatternLayout' is the problem in Log4j and our code uses its own implementation called 'FastLayout' preventing the malicious JNDI lookup from being used.

Java option/version aspects

According to Apache’s guidance, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

This setting can be implemented straight away and can be applied to the following components

• Operator Client and FSS : Add to the clientConfig.xml: <jvmOption>-Dlog4j2.formatMsgNoLookups=true</jvmOption> More information for OC and FSS
• Master Controller: Add to the mcConfig.xml: <jvmOption>-Dlog4j2.formatMsgNoLookups=true</jvmOption> More information for the MC

For all tomcat based web applications:
add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true. More information for Tomcat based applications

• Admin Interface: add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
• FewsWebServices: add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
• DatabaseProxy: add to the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
• ArchiveServer: add to the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true

Open Archive (including Elastic Search)
In the start-up scripts (bin/elastic or bin/elastic.bat) of the Archive Server this -D option can be added.

For Elastic itself (the Open Archive catalogue), the hack is not applicable. See https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476. But they announced a new version. As soon as this is available, Deltares will provide a new package

Log4j Upgrade to 2.15: New basebuilds will be made available for all supported Delft-FEWS versions

A Log4J upgrade available and is necessary to prevent secruity/vulnerability-scanning tools to produce false alarms (for Delft-FEWS). This 2.15 version needs to be 'packed and distributed' with all other java code of Delft-FEWS.

In the development version of Delft-FEWS (leading to 2022.01) we have replaced the Log4j 2.11.1 and upgraded it to the latest version (2.15). The same is true for Delft-FEWS 2021.02 which is about to be released.

For all other supported Delft-FEWS versions (2019.02 and higher) Deltares will provide a new base-build (+patch) in the next few days. This new base-build will contain Log4J version 2.15. If you are running an older version, please contact the Delft-FEWS helpdesk at fews.support@deltares.nl.

With the new base build and patch installed the scanning tools will not be flagging Log4j anymore.

If you/your organisation would like to receive the updated base-build/patch of your version, let us know! Please, send an e-mail to fews.support@deltares.nl

If you have any other question concerning the above, do not hesitate to contact us.

Delft-FEWS Product Management
13th of December 2021