log4j security issue

Post your Server Bug Report
unnilennium
Posts: 3
Joined: 28 Oct 2013, 04:51
Has thanked: 0
Been thanked: 0

log4j security issue

Unread post by unnilennium »

Hi,

is there any king of mitigation plan soon for 6.2 servers as it includes log4j1.2 and log4j 2.7 that are susceptible to the issue https://logging.apache.org/log4j/2.x/security.html

Code: Select all

$ unzip -t madsonic.war |grep log4
    testing: WEB-INF/lib/slf4j-log4j12-1.7.22.jar   OK
    testing: WEB-INF/lib/log4j-1.2-api-2.7.jar   OK
    testing: WEB-INF/lib/log4j-1.2.17.jar   OK
    testing: WEB-INF/lib/log4j-api-2.7.jar   OK
    testing: WEB-INF/lib/log4j-core-2.7.jar   OK
    testing: WEB-INF/classes/log4j.properties   OK
    testing: WEB-INF/classes/log4j2.xml   OK

according to changelog of 7.0 Server 7.0.10360 20/04/2019 , same thing
Upgrade LIB: log4j 2.7
but can not find the jar in the madsonic.war
unnilennium
Posts: 3
Joined: 28 Oct 2013, 04:51
Has thanked: 0
Been thanked: 0

Re: log4j security issue

Unread post by unnilennium »

there is actually 3 different CVS that are impacting at least up to madsonic 6.2 (can not verify myself for 7.x versions)
CVE-2021-4104
CVE-2021-44228
CVE-2021-45046

for those still with nadsonic 5.x mitigation would be

Code: Select all

service madsonic stop
cd /usr/share/madsonic/
unzip -t madsonic.war |grep log4j
    testing: WEB-INF/lib/log4j-1.2.17.jar   OK
    testing: WEB-INF/lib/slf4j-log4j12-1.7.2.jar   OK
    testing: WEB-INF/classes/log4j.properties   OK
rm WEB-INF -rf
jar -xvf madsonic.war  WEB-INF/lib/log4j-1.2.17.jar
cd WEB-INF/lib/
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
cd ../../
jar -uvf madsonic.war WEB-INF
rm -rf /var/madsonic/jetty/3760/webapp/WEB-INF/lib/log4j-1.2.17.jar
cp -a WEB-INF/lib/log4j-1.2.17.jar /var/madsonic/jetty/3760/webapp/WEB-INF/lib/log4j-1.2.17.jar
service madsonic start
for those with madsonic 6.2 mitigation would be:

Code: Select all

systemctl stop madsonic
cd /usr/share/madsonic/
unzip -t madsonic.war |grep log4j
    testing: WEB-INF/lib/slf4j-log4j12-1.7.22.jar   OK
    testing: WEB-INF/lib/log4j-1.2-api-2.7.jar   OK
    testing: WEB-INF/lib/log4j-1.2.17.jar   OK
    testing: WEB-INF/lib/log4j-api-2.7.jar   OK
    testing: WEB-INF/lib/log4j-core-2.7.jar   OK
    testing: WEB-INF/classes/log4j.properties   OK
    testing: WEB-INF/classes/log4j2.xml   OK
# patch 1.2
rm WEB-INF -rf
jar -xvf madsonic.war  WEB-INF/lib/log4j-1.2.17.jar
cd WEB-INF/lib/
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
cd ../../
# change 2.x
wget https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz --no-check-certificate
tar -xvf apache-log4j-2.16.0-bin.tar.gz \
apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
mv apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar WEB-INF/lib/log4j-1.2-api-2.7.jar
mv apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar WEB-INF/lib/log4j-api-2.7.jar
mv apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar WEB-INF/lib/log4j-core-2.7.jar
touch  WEB-INF/lib/log4j-2.7patchedTo2.16.0
touch WEB-INF/lib/log4j-1.2patched
#and rebuild
jar -uvf madsonic.war WEB-INF
# update the expanded version
rm -rf /var/madsonic/jetty/
systemctl start madsonic 
sources: edit: to moderators: sorry posted in wrong forum should be server 7.x/support
Last edited by unnilennium on 16 Dec 2021, 05:09, edited 1 time in total.
KBanause
Posts: 13
Joined: 10 Jun 2016, 11:26
Has thanked: 1 time
Been thanked: 3 times

Re: log4j security issue

Unread post by KBanause »

Would be nice to hear something from the Devs about this issue.
J_T_W
Posts: 5
Joined: 24 Sep 2020, 17:44
Has thanked: 1 time
Been thanked: 5 times

Re: log4j security issue

Unread post by J_T_W »

Madsonic at this point appears to be abandonware. You might consider moving off to a newer implementation. Both below suggestions run on multiple platforms, I'm a Windows guy so some of my supplemental info isn't as useful to non-Windows users.

If you're looking for a very lateral move, consider Airsonic Advanced https://github.com/airsonic-advanced/airsonic-advanced - It is in active development with frequent snapshot updates https://github.com/airsonic-advanced/airsonic-advanced/releases . Same feature set as Madsonic (API, Sonos, etc.) with updated code. As it is open source, you also get most of the features Madsonic Premium gives you, but for free. You would need to to come up with your own DDNS solution. Minimal effort for installation (latest Java installed, then a command line shortcut to the war file - upgrades even easier with just a fast war file change).

If you're really more API focused, and looking just for a music streaming service, you might consider moving off the Subsonic family of servers altogether. Check out Navidrome https://www.navidrome.org/ . That product is primarily to supply the API with a completely new back-end, and refocuses to just support for audio (no video, podcast, internet radio, etc.). There is not yet built in support for Sonos, but you can find easy linking with something like Bonob https://github.com/simojenki/bonob. As with Airsonic Advanced, no subscription or fee to access the API. Navidrome does have a simplified web UI if desired.

Both products support running as a service with something like NSSM https://nssm.cc/ and IIS works great as a reverse proxy if you wish to run them as SSL.
Post Reply