Apache Log4j Vulnerability CVE-2021-44228 - How does it affect Matlab?
94 views (last 30 days)
Show older comments
Andreas Apelt
on 14 Dec 2021
Commented: Craig Richardson
on 29 Jan 2024
Regarding the Apache Log4j Vulnerability CVE-2021-44228. How does it affect these software products:
- Regular locally installed Matlab (Mac, PC, and Linux). All versions : current, plus old/historical.
- MATLAB online (web-based version of MATLAB)
- The MATLAB MCR runtime library (needed to run standalone executables someone compiled with the MATLAB Compiler Toolbox)
- Installers for any Mathworks software product.
MATLAB uses log4j < v2.15
Will you provide a patch, if one is needed?
6 Comments
Craig Richardson
on 29 Jan 2024
Is this still the case in 2024? Are there still no versions of Matlab that are affected by log4j?
If so, please release an updated document that reflects that information.
Accepted Answer
Sebastian
on 14 Dec 2021
Edited: Sebastian
on 20 Dec 2021
MathWorks has published the following in the Trust Center (version 3 of 2021-12-18):
MathWorks Response to CVE-2021-44228 and CVE-2021-45046 Apache Log4j vulnerabilities
Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
- CVE-2021-45046: the fix for CVE-2021-44228 was incomplete in certain non-default configurations.
MathWorks Product Security promptly conducted an assessment across the code base for desktop, server and online applications and determined that MathWorks customers do not need to take any action related to MathWorks products and online applications:
MathWorks Desktop and Server Products
None of MathWorks general release desktop or server products include the affected versions of Log4j and so do not contain the CVE-2021-44228 or CVE-2021-45046 logging vulnerabilities.
MathWorks is not aware of any exploitable vulnerabilities in the log4j framework used in any of our general release desktop or server products.
MathWorks general release desktop or server products includes MATLAB, Simulink, Stateflow, MATLAB Production Server, MATLAB Web App Server, MATLAB Parallel Server, MATLAB Online Server, MATLAB Runtime, MathWorks Product Installer, MATLAB Runtime Installer, all Polyspace products, RoadRunner and any toolboxes or blocksets for any of these. In addition, this includes all previous general releases such as R2021b, R2021a, R2020b, R2020a, and so on.
All online applications have been patched with officially suggested mitigations. After investigation there was no evidence that the vulnerability had been exploited on any of our systems.
Continuing Activities
MathWorks Product Security will continue to monitor this specific set of issues for their potential impact on our products.
See here for the full document: https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf
16 Comments
Jürgen
on 22 Dec 2021
Edited: Jürgen
on 22 Dec 2021
How can I find out, whether my applications utilize any of the earlier versions.
If I remove it – how can I find out that my software will not utilize this functionality under yet unforeseen conditions?
The question turns out, to be related to another question I asked myself last week:
How can I find out the code-dependencies in my ‘projects’.
In previous obligations where I used more classical languages the underlying project tool and the necessity to compile ensured such structural coverage at least to my expectations as device-engineer/physicist. Additional code analyzer tools could be used to visualize and track it graphically.
Could anyone give me an advice what the best way is, to do it with Matlab. I know several options in Matlab, but maybe not deeply enough. Maybe there is a ‘good all in one’ overview-article how to do it in the latest releases – to get a good project-feeling?
Walter Roberson
on 23 Dec 2021
Mathworks tells me that I can check the log4j version by cd'ing matlabroot and using
unzip -p java/jarext/*log4j*.jar META-INF/MANIFEST.MF
Based upon the checks I did (with the toolboxes I have), it looks to me as if ROS (Robot Operating System) actively uses log4j, and that genicam drivers do as well. Beyond that... well, I am concerned about the toolbox/parallel/bin/util/msa_pct.ini which might be implying that some or all of Parallel Computing Toolbox relies upon the utility.
More Answers (3)
QMA
on 14 Dec 2021
FYI.. when you download the latest version for installation, there is reference to log4j in 2021b:
./Downloads/MathWorks/R2021b/2021_12_03_21_37_17/archives/3p/log4j_common_1621039475.enc
./Downloads/MathWorks/R2021b/2021_12_03_21_37_17/archives/3p/log4j_common_1621039475.xml
3 Comments
Walter Roberson
on 14 Dec 2021
/3p means "Third party". So some third party product might include it.
Walter Roberson
on 15 Dec 2021
Edited: Walter Roberson
on 15 Dec 2021
That log4j_common is responsible for installing
filename = fullfile(matlabroot, 'java', 'jarext', 'log4j.jar')
ls(filename)
References in files that I found on my system. I do not have all toolboxes and official support packages installed, so there might be additional instances
./sys/ros1/maci64/ros1/share/ros/config/rosconsole.config:log4j.logger.ros=INFO
./sys/ros1/maci64/ros1/share/ros/config/rosconsole.config:log4j.logger.ros.roscpp.superdebug=WARN
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j-core.jar" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: dir="${rsrc}/log4j"
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: includes="log4j.properties" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <unjar src="${lib}/log4j-core.jar" dest="${build}" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <unjar src="${lib}/log4j-core.jar" dest="${build}" />
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j.properties"/>
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="org/apache/log4j/**"/>
./sys/ros1/maci64/ros1/share/roslisp/s-xml/test/ant-build-file.xml: <include name="log4j-core.jar" />
./toolbox/parallel/bin/util/msa_pct.ini:java/jarext/log4j.jar
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4j.rootCategory=ERROR, Console
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4cpp.appender.Console=org.apache.log4j.ConsoleAppender
./toolbox/imaq/imaqextern/drivers/maci64/genicam/GenICam_v3_1_0/log/config-unix/DefaultLogging.properties:log4cpp.appender.Console.layout=org.apache.log4j.PatternLayout
./toolbox/matlab/compatibility/codeAnalyzerChecks.json: "package" : "org.apache.log4j",
./toolbox/matlab/compatibility/codeAnalyzerChecks.json: "org.apache.log4j"
./mcr/toolbox/parallel/bin/util/msa_pct.ini:java/jarext/log4j.jar
I think the .json is just for code completion suggestion purposes, rather than being an invocation of the code.
sys/ros1 is part of ROS (Robot Operating System) toolbox, https://www.mathworks.com/help/ros/index.html
Genicam is a camera interface, https://www.mathworks.com/help/imaq/genicam-gentl-hardware.html . I do not have the Image Acquistion Support Package for GeniCam Interface installed, but I still have those driver files.
I just opened a support case reporting these files.
Shahed Sherkat
on 18 Dec 2021
How about vulnerabulut to CVE-2021-4104 ?
I have found 4 potentially vulnerable files in my Matlab R2017b.
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\aps_impl\pubsub_impl_java\pubsub_impl.jar, log4j 1.2.17
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\lais_server_impl\lais_server_impl.jar, log4j N/A - potentially vulnerable
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\java\jarext\log4j.jar, log4j 1.2.15
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files\MATLAB\R2017b\mcr\toolbox\matlab\connector\jar\3p.jar, log4j 1.2.17
Please adivce.
Thanks,
Shahed
4 Comments
Walter Roberson
on 11 Jan 2022
I don't think the US government has any authority in my country. I am not even clear that it has the authority to require such a thing inside the USA.
It does plausibly have authority to tell US Federal Government departments and US Federal Government Contractors that they must remove such software for security reasons.
Nicholas Clark
on 18 Feb 2022
In addition to CVE-2021-4104, now potentially included are: CVE-2019-17571, CVE-2020-9488, and CVE-2022-23302.
Steve Peppas
on 25 Mar 2022
Edited: Steve Peppas
on 25 Mar 2022
Hey guys, i have found a convenient "hack" to mitigate the log4j vulnerability if you feel unsafe like me. Here is what i did:
1) Downloaded log4j-core-2.17.2 and added it to matlab/java/jarext folder.
2) Added it to the classpath.txt which is found in matlab/toolbox/local.
3) Deleted the previous log4j.jar in matlab/java/jarext.
4) Downloaded the log4j-1.2-api-2.17.2 logging bridge, added it to matlab/java/jarext and renamed it to log4j.jar
5) Last, downloaded the log4j-api-2.17.2, copied the logging folder in it and put it at the above log4j.jar in org.apache path.
I am using Ubuntu 20.04.4 OS.
3 Comments
Vincent Sherart
on 19 Sep 2022
Please excuse the java noob question, but I know very little about java programming. On the last step above, step 5, I get as far as using the jar utility to extract the contents fo the log4j-api*jar file, but I'm confused about section that says put logging folder above log4j.ar in org.apache path. Can someone provide more detail on this step?
For example, if I have MATLAB installed in /opt/MATLAB/R2021a, does the logging directory go somewhere in the /opt/MATLAB/R2021a/java dir structure?
Thanks,
Vince
Steve Peppas
on 20 Sep 2022
Hey Vince, every .jar file is like a .zip file, meaning you can extract the files, copy and paste them.
So, for Step 5, copy the logging folder inside log4j-api-2.17.2.jar and paste it in the (new) log4j.jar in org/apache path inside log4j.jar.
Hope this is clear enough.
See Also
Categories
Find more on Write C Functions Callable from MATLAB (MEX Files) in Help Center and File Exchange
Community Treasure Hunt
Find the treasures in MATLAB Central and discover how the community can help you!
Start Hunting!