Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Apache Log4j < 2.15.0 Remote Code Execution (Nix) (155999)

Carlos | Last updated: Dec 13, 2021 03:18PM UTC

Tenable reported bug on Burp Enterprise Synopsis A package installed on the remote host is affected by a remote code execution vulnerability. Description The version of Apache Log4j on the remote host is < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to Apache Log4j version 2.15.0 or later, or apply the vendor mitigation. See Also Links: github.com apache.org Plugin Output Path : /opt/burpsuite_enterprise/webServer/2021.11-8333/lib/log4j-core-2.14.1.jar Installed version : 2.14.1 Fixed version : 2.15.0

Uthman, PortSwigger Agent | Last updated: Dec 13, 2021 04:01PM UTC

Hi Carlos, We're aware of this issue already so thank you for reporting it. We utilize a custom-built JDK and I can confirm we don’t use log4j for logging. (we use slf4j). It is still included as a transitive dependency, so as a precautionary measure, we are in the process of excluding the core library from the dependencies altogether. We will be releasing this fix imminently, but I would be happy to confirm via update once complete.

Jay | Last updated: Dec 20, 2021 02:37AM UTC

Is there an update here and an official response from Portswigger regarding log4j being exploitable via Burp Enterprise? I'm running v2021.12.1-8680 of Burp Enterprise and still have /opt/burpsuite_enterprise/webServer/2021.11-8333/lib/log4j-core-2.14.1.jar on my host server.

Uthman, PortSwigger Agent | Last updated: Dec 20, 2021 09:53AM UTC

Hi Jay,

We've released the patch in 2021.12.1. If you have updated to this version successfully, feel free to delete the log4j-core-2.14.1.jar file in the 2021.11 directory since this was only used in 2021.11.

Jay | Last updated: Dec 20, 2021 11:47AM UTC

Can you provide more details on where & how log4j-core-2.14.1.jar could have been exploited in 2021.11? You said it was a transitive dependency, which component leveraged log4j and how is that component used in Burp Enterprise?

Uthman, PortSwigger Agent | Last updated: Dec 20, 2021 01:21PM UTC

Hi Jay,

Feedback from our development team:

The vulnerability itself could not be exploited in Enterprise as it was not actually used for logging by any component, the logging was routed to a different library in production.

Log4j was a dependency of the SCIM-SDK which has released a log4j fix of their own with the following comment:

Move log4j into test-scope
log4j was delivered as dependency with the scim-sdk even though it should not. I double-checked this because of CVE-2021-44228 and so I completely removed the dependency from compile-scope
. Please note that log4j is not a used dependency in previous versions if not explicitly configured.

Jay | Last updated: Dec 20, 2021 03:41PM UTC

Rather deleting just the log4j-core-2.14.1.jar file, is it safe to delete all folders in /opt/burpsuite_enterprise/webServer/ older than 2021.12.1-8680? it seems that Burp Enterprise leaves older releases so I have about 15 folders older than 2021.12.1-8680.

Uthman, PortSwigger Agent | Last updated: Dec 21, 2021 12:58PM UTC