Log4Shell or Apache's Log4j (CVE-2021-44228) vulnerability and Tango
This issue documents all the information on the Log4Shell vulnerability in Apache's log4j library and Tango Controls. Please add any information you have or comments to this ticket. You can also ask questions on the forum.
Background
Log4Shell is a critical security vulnerability which allows untrusted code to be executed by Java applications which use Apache Log4j2 2.0-beta9 through 2.15.0. It is documented in many sites but here are some descriptions from well-known sources:
The Wikipedia entry contains links to other sites which document the issues further.
The original vulnerability (CVE-2021-44228) has a number of mitigating strategies documented here:
The first version to fix this issue was log4j2 2.16 but it contained other issues which were then fixed in subsequent versions, see the log4j security page for details:
As this is a critical security issue (considered by some experts to be one of the worst in internet history due to its nature and large impact) it was decided in the Tango Kernel Followup meeting of 16 December 2021 to create an issue.
Impact on Tango - summary
In brief Tango is not impacted by Log4Shell due to the fact that it uses Log4j 1 which does not have this vulnerability.
Impact on Tango - details
This section documents in details what was done to analyse the impact of Log4Shell on Tango. The version analysed was the latest stable version of Tango V9.3.4 but applies to all releases of Tango using JTango (first released in January 2013).
Tango uses Java for the graphical tools used to create, modify and debug devices and device servers. The main tools are Jive, ATK and Astor. These tools rely on JTango to communicate with the Tango control system. They do not necessarily run all the time. In addition JTango can be used to develop device servers in Java. The Java tools and libraries delivered as part of Tango 9.4.3 were analysed using grype a tool for finding vulnerabilites in packages (not only Java). The outcome of running grype V0.28.0 on the 30 December 2021 produced the output in the attached file tango_9_4_3_grype.out.
No Log4Shell vulnerabilities were found because as already stated log4j2.x is not used by any of the Tango Java packages. The only package found to depend on lo4j1.2 was Pogo due to Pogo depending on other packages like Xtext. The log4j1.2 classes which could be considered a problem can even be removed from Pogo without any side effects (see mitigating actions).
Mitigating actions
As stated above Tango does not suffer from the Log4Shell vulnerability. The only package depending on log4j 1.2 is Pogo which does not have the vulnerability. Nonetheless if you are still paranoid you can delete the JndiLookup class from the Pogo jar file and Pogo will still work. Use zip to delete the class:
sudo zip -q -d Pogo.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Other vulnerabilities
A number of other vulnerabilities (not Log4Shell) are detected by grype (see attached file above) which have different levels of security. These are in Pogo but also in the RestServer. So far none of these have been known to cause problem but if you are concerned then please raise the issue here or on the forum.
Best practice
Follow best practices for your control system e.g. by minimising direct exposure to the internet and keeping your firewalls patched.