Apache Log4j Vulnerability CVE-2021-44228 - How does it affect Matlab?

403 views (last 30 days)
Andreas Apelt
Andreas Apelt on 14 Dec 2021
Commented: fyin on 2 Jun 2022 at 8:59
Regarding the Apache Log4j Vulnerability CVE-2021-44228. How does it affect these software products:
  1. Regular locally installed Matlab (Mac, PC, and Linux). All versions : current, plus old/historical.
  2. MATLAB online (web-based version of MATLAB)
  3. The MATLAB MCR runtime library (needed to run standalone executables someone compiled with the MATLAB Compiler Toolbox)
  4. Installers for any Mathworks software product.
MATLAB uses log4j < v2.15
Will you provide a patch, if one is needed?
  5 Comments

Sign in to comment.

Accepted Answer

Sebastian
Sebastian on 14 Dec 2021
Edited: Sebastian on 20 Dec 2021
MathWorks has published the following in the Trust Center (version 3 of 2021-12-18):
MathWorks Response to CVE-2021-44228 and CVE-2021-45046 Apache Log4j vulnerabilities
Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:
  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
  • CVE-2021-45046: the fix for CVE-2021-44228 was incomplete in certain non-default configurations.
MathWorks Product Security promptly conducted an assessment across the code base for desktop, server and online applications and determined that MathWorks customers do not need to take any action related to MathWorks products and online applications:
MathWorks Desktop and Server Products
None of MathWorks general release desktop or server products include the affected versions of Log4j and so do not contain the CVE-2021-44228 or CVE-2021-45046 logging vulnerabilities.
MathWorks is not aware of any exploitable vulnerabilities in the log4j framework used in any of our general release desktop or server products.
MathWorks general release desktop or server products includes MATLAB, Simulink, Stateflow, MATLAB Production Server, MATLAB Web App Server, MATLAB Parallel Server, MATLAB Online Server, MATLAB Runtime, MathWorks Product Installer, MATLAB Runtime Installer, all Polyspace products, RoadRunner and any toolboxes or blocksets for any of these. In addition, this includes all previous general releases such as R2021b, R2021a, R2020b, R2020a, and so on.
All online applications have been patched with officially suggested mitigations. After investigation there was no evidence that the vulnerability had been exploited on any of our systems.
Continuing Activities
MathWorks Product Security will continue to monitor this specific set of issues for their potential impact on our products.
  16 Comments
Walter Roberson
Walter Roberson on 23 Dec 2021
Mathworks tells me that I can check the log4j version by cd'ing matlabroot and using
unzip -p java/jarext/*log4j*.jar META-INF/MANIFEST.MF
Based upon the checks I did (with the toolboxes I have), it looks to me as if ROS (Robot Operating System) actively uses log4j, and that genicam drivers do as well. Beyond that... well, I am concerned about the toolbox/parallel/bin/util/msa_pct.ini which might be implying that some or all of Parallel Computing Toolbox relies upon the utility.

Sign in to comment.

More Answers (3)

QMA
QMA on 14 Dec 2021
FYI.. when you download the latest version for installation, there is reference to log4j in 2021b:
./Downloads/MathWorks/R2021b/2021_12_03_21_37_17/archives/3p/log4j_common_1621039475.enc
./Downloads/MathWorks/R2021b/2021_12_03_21_37_17/archives/3p/log4j_common_1621039475.xml
  3 Comments
Walter Roberson
Walter Roberson on 15 Dec 2021
That log4j_common is responsible for installing
filename = fullfile(matlabroot, 'java', 'jarext', 'log4j.jar')
ls(filename)
References in files that I found on my system. I do not have all toolboxes and official support packages installed, so there might be additional instances
./sys/ros1/maci64/ros1/share/ros/config/rosconsole.config:log4j.logger.ros=INFO
./sys/ros1/maci64/ros1/share/ros/config/rosconsole.config:log4j.logger.ros.roscpp.superdebug=WARN
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j-core.jar" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: dir="${rsrc}/log4j"
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: includes="log4j.properties" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <unjar src="${lib}/log4j-core.jar" dest="${build}" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <unjar src="${lib}/log4j-core.jar" dest="${build}" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j.properties"/>
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="org/apache/log4j/**"/>
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j-core.jar" />
./toolbox/parallel/bin/util/msa_pct.ini:java/jarext/log4j.jar
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4j.rootCategory=ERROR, Console
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4cpp.appender.Console=org.apache.log4j.ConsoleAppender
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4cpp.appender.Console.layout=org.apache.log4j.PatternLayout
./toolbox/matlab/compatibility/codeAnalyzerChecks.json: "package" : "org.apache.log4j",
./toolbox/matlab/compatibility/codeAnalyzerChecks.json: "org.apache.log4j"
./mcr/toolbox/parallel/bin/util/msa_pct.ini:java/jarext/log4j.jar
I think the .json is just for code completion suggestion purposes, rather than being an invocation of the code.
sys/ros1 is part of ROS (Robot Operating System) toolbox, https://www.mathworks.com/help/ros/index.html
Genicam is a camera interface, https://www.mathworks.com/help/imaq/genicam-gentl-hardware.html . I do not have the Image Acquistion Support Package for GeniCam Interface installed, but I still have those driver files.
I just opened a support case reporting these files.

Sign in to comment.


Shahed Sherkat
Shahed Sherkat on 18 Dec 2021
How about vulnerabulut to CVE-2021-4104 ?
I have found 4 potentially vulnerable files in my Matlab R2017b.
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\aps_impl\pubsub_impl_java\pubsub_impl.jar, log4j 1.2.17
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\lais_server_impl\lais_server_impl.jar, log4j N/A - potentially vulnerable
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\log4j.jar, log4j 1.2.15
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\mcr\toolbox\matlab\connector\jar\3p.jar, log4j 1.2.17
Please adivce.
Thanks,
Shahed
  4 Comments
Nicholas Clark
Nicholas Clark on 18 Feb 2022
In addition to CVE-2021-4104, now potentially included are: CVE-2019-17571, CVE-2020-9488, and CVE-2022-23302.

Sign in to comment.


Steve Peppas
Steve Peppas on 25 Mar 2022
Edited: Steve Peppas on 25 Mar 2022
Hey guys, i have found a convenient "hack" to mitigate the log4j vulnerability if you feel unsafe like me. Here is what i did:
1) Downloaded log4j-core-2.17.2 and added it to matlab/java/jarext folder.
2) Added it to the classpath.txt which is found in matlab/toolbox/local.
3) Deleted the previous log4j.jar in matlab/java/jarext.
4) Downloaded the log4j-1.2-api-2.17.2 logging bridge, added it to matlab/java/jarext and renamed it to log4j.jar
5) Last, downloaded the log4j-api-2.17.2, copied the logging folder in it and put it at the above log4j.jar in org.apache path.
I am using Ubuntu 20.04.4 OS.

Products


Release

R2019b

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!