CVE-2021-44228

Vulnerability subject to the GeoNetwork Enterprise responsible disclosure policy. This policy applies to you our customers, please do not share this sensitive content.


2021-12-09: Log4j2 Remote Code Execution CVE-2021-44228 vulnerability patch for GeoNetwork Enterprise

A zero-day exploit affecting the popular Apache Log4j2 utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).

Evaluation:

GeoNetwork Enterprise 2020.5.5 and earlier are vulnerable.

Mitigation:

Users using GeoNetwork Enterprise 2020.5.5 and earlier are advised to apply the following hotfix.

  1. Download the file log4j-core-2.7.jar:
  2. This hotfix removes the JndiLookup.class class to mitigate the issue as described in CVE-2021-44228.
    The vulnerability relies on using JNDI to contact an LDAP service, by removing JndiLookup.class this vulnerability is mitigated.
  3. Stop Tomcat
  4. Copy the log4j-core-2.7.jar to the folder TOMCAT_DIR/geonetwork/WEB-INF/lib
    It is important that this file replace the existing jar at this location.
  5. Restart Tomcat

Customers making use of geonetwork.war as part of automated deployment are asked to repackage the geonetwork war to include the above log4j-core-2.7.jar file (to avoid Tomcat redeploying the vulnerability on restart).

Resolution:

Please update to GeoNetwork Enterprise 2020.5.6-1 which makes use of the recommended Apache Log4j 2.17.0 library not subject to this vulnerability.

References

  • GeoNetwork, Vulnerability
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

GeoNetwork Enterprise responsible disclosure policy

The my.geocat.net knowledge base documents known security vulnerabilities subject to the...

CVE-2021-45046

Vulnerability subject to the GeoNetwork Enterprise responsible disclosure policy. This policy...