A potentially critical 0-day exploit CVE was identified on Dec 10, 2021.
Armory has investigated this 0-day critical issue, and has performed analysis on the vulnerability and its potential for harm to Armory Enterprise customers.
The vulnerability exposes a remote-execution vulnerability in services that use
log4j. Spinnaker services use
logback, a different logging implementation.
Here are some examples of how the vulnerability might be exploited:
The affected class
org.apache.logging.log4j.core.lookup.JndiLookup is not bundled with Armory Enterprise.
This was validated by inspecting service dependencies, logs from active services and thread profiling services to ensure the affected class is neither packaged or used.
The vulnerable class outlined in the CVE is not packaged with Armory Enterprise services, but because we transitively pull in log4j we have taken remediation steps on behalf of customers to remove the potentiality of this vulnerability in future releases.
Armory has made changes to their commons code for Spinnaker to ensure that this code does not affect future releases
Update Dec 14, 2021:
Log4j has released
version 2.16 which sets JNDI lookups to be disabled by default as well as removing support for messaging lookups.
We recommend our customers bump to 2.16 vs. just 2.15 in other software that may be using
log4j to receive these updates. https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0
Additionally, https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/ has some details on other attack vectors.
NOTE again that Spinnaker is not vulnerable to these threats, but we want to provide as much information and assistance to our customers as we can for this particular issue.
Update Dec 15, 2021: We would like to provide further information about some scan results customers may be experiencing with Spinnaker.
From Armory's own experience, we suggest that customers continue to follow information from their security scan providers. Armory uses AquaSec scans, and as an example, we were informed the scan was not tuned properly to look for the Class only, and was scanning based on the original reported vulnerability. Subsequent updates have further refined and tuned the scans towards updates to the CVE and the vulnerability in question. The results now show what was concluded in our findings; that Spinnaker is not affected by the issue.
Customers may also continue to see the inclusion of the
log4j files within the overall Spinnaker library. As we stated in our previous notice, we have investigated the matter and verified that
logback is the only logging provider used within the product.
However, certain pieces of
log4j are included transitively from other frameworks. Those transitive includes do not include in the vulnerable code - only api libraries. We will proactively add controls to prevent contamination of the
log4j-core library which contains the vulnerability in case of a future library change. There is no immediate risk to Enterprise customers, since the class
org.apache.logging.log4j.core.lookup.JndiLookup is not contained in any code nor library shipped with Armory Enterprise.
As Tested On Version
2.25.x, 2.26.x, 2.27.x