Vulnerability subject to the GeoNetwork Enterprise responsible disclosure policy. This policy applies to you our customers, please do not share this sensitive content.
2021-12-09: Log4j2 Remote Code Execution CVE-2021-44228 vulnerability patch for GeoNetwork Enterprise
A zero-day exploit affecting the popular Apache Log4j2 utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).
Evaluation:
GeoNetwork Enterprise 2020.5.5 and earlier are vulnerable.
Mitigation:
Users using GeoNetwork Enterprise 2020.5.5 and earlier are advised to apply the following hotfix.
- Download the file log4j-core-2.7.jar:
- This hotfix removes the JndiLookup.class class to mitigate the issue as described in CVE-2021-44228.
The vulnerability relies on using JNDI to contact an LDAP service, by removing JndiLookup.class this vulnerability is mitigated. - Stop Tomcat
- Copy the log4j-core-2.7.jar to the folder TOMCAT_DIR/geonetwork/WEB-INF/lib
It is important that this file replace the existing jar at this location. - Restart Tomcat
Customers making use of geonetwork.war as part of automated deployment are asked to repackage the geonetwork war to include the above log4j-core-2.7.jar file (to avoid Tomcat redeploying the vulnerability on restart).
Resolution:
Please update to GeoNetwork Enterprise 2020.5.6-1 which makes use of the recommended Apache Log4j 2.17.0 library not subject to this vulnerability.
References
