Log4J

dhogan723

New Member
Is is possible to remove the log4j files from WCS server installation and still have a functional RTSP streaming capability?

Our clients are showing vulnerabilities with log4j (expected), but are not fully satisfied with the explanation you referenced here:
WCS Core logs - Web Call Server 5.2 - EN - Flashphoner Documentation

Are there any other creative options that can be taken? Again, our only use of Flashphoner is RTSP-->WebRTC functionality.

Thank you
Dan
 

Max

Administrator
Staff member
Good day.
WCS uses Apache log4j 1.2.17. This old version does not support JDNI feature which is added since log4j 2.0-beta9. Therefore, CVE-2021-44228 vulnerability (and other JDNI vulnerabilities) cannot be exploited in WCS. The tests confirm that
We referencing to the official Apache log4j issues description only, hope it is enough for your clients.
Is is possible to remove the log4j files from WCS server installation and still have a functional RTSP streaming capability?
No. WCS will not start without the log4j library.
There was the ticket WCS-2521 to migrate to log4j2, but most of our customers are satisfied by explanation above (and hosters like AWS and DO too), so we decide not to update because log4j2 brings a various new vulnerabilities.
We may raise the ticket again if there will be more customer votes for it.
 

Max

Administrator
Staff member
If your customers are not satisfied by our explanation, there are the following options:
1. Call to independent experts who can parse log4j-1.2.17.jar from WCS distribution package and check if CVE-2021-44228 can be exploited.
2. Get the jar file from reload4j project reload4j-1.2.22.jar and place it instead of log4j-1.2.17.jar to /usr/local/FlashphonerWebCallServer/lib folder. The reload4j project is a fork from log4j-1 which fixes most of actual vulnerabilities. It is 100% compatible with log4j, and WCS should work with it.
3. Ask us for a custom build (in fact it is a kind of priority support): sales@flashphoner.com.
 
Last edited:

stone

New Member
We tried your suggestion and loaded reload4j. The customers scan is still picking up log4j version 1 as says this is not supported.

"Description: According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported. Log4j reached its end of life prior to 2016."

I believe the only way to get around this scan is to use their suggestion of upgrading to log4j version 2

"Solution: Upgrade to a version of Apache Log4j that is currently supported. Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilitie s and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging. apache.org/log4j/2.x/security.html for the latest versions."

Do we need a custom build of flashphoner that would include log4j2.x or is there some other type of workaround?

Thank you
 

Max

Administrator
Staff member
We tried your suggestion and loaded reload4j. The customers scan is still picking up log4j version 1 as says this is not supported.
reload4j is the fork of Apache log4j 1 aimed to support this version because a lot of projects still needs it. And yes, reload4j reports version number 1.x because it is fully compatible with Apache log4j. We recommend your customer to hire third party independent experts to check reload4j carefully for a possible vulnerabilities, not just for version number formally.
If your customer will provide an exact list of vulnerabilities which are fixed in Apache log4j 2 but not fixed in reload4j, we'll consider upgrade if there will be more our customer votes for it.
Do we need a custom build of flashphoner that would include log4j2.x or is there some other type of workaround?
Yes, you can request a custom build: sales@flashphoner.com. Note this may take a lot of time.
 
Top