Trying to determine if the recently noted Log4j exploit is any concern for FreePBX users.
There’s already a CVE number for this: NVD - CVE-2021-44228
It implies that an attacker has already control over some other server. The most recent update obviously solves this problem. On the other hand, I am currently running FPBX with community modules only on Centos 7 and Debian 11 and there is no log4j.
Quick rundown:
- Asterisk does not depend on log4j
- FreePBX does not depend on log4j
- FreePBX distro does not install log4j by default - and the version currently published in the SNG7 distro is not vulnerable.
- Sangoma cards don’t use log4j
There are non-Sangoma packages that may be installed on PBX systems for which I can’t currently comment. I’m awaiting word re: iSymphony, tho it appears that it does not use it. For other packages such as QueueMetrics or FOP2, please update this thread if anyone is aware of their status.
The iot server uses log4j. If you are not using to to control doors and such, I suggest disabling it.
`
fwconsole ma disable iotserver
`
log4js, not log4j, no?
Do we have confirmation that the log4js port suffers the same problem as log4j?
AFAIK, the legacy @isymphony software runs on Java. The new one uses newer technologies. But I may be wrong on that.
Thank you very much, I’m much calmer when I read it like this. Specifically beeing aware that lots of java things are running within freepbx an centOS7 distro.
What is @isymphony used for typically?
@Lorne: is somewhere a script available to test the system for any non-sangoma packages? Let’s say postfix or apache2 or something typical like these?
tl;dr no it doesn’t seem to
Has there been any word back from isymphony? According to their documentation:
Beginning with version 3.0 of iSymphony, Java is only required on the server running the iSymphony web application. It is no longer required on end-user workstations.
A freepbx 15 install that I have running, I cannot think of any additions that I would have put on this installation, has java installed
command -v java
/usr/bin/java
So the question remains, does it have the highly vulnerable log4j library?
Isn’t it the very first time that Java really works with “Write once, run everywhere”? And people are still unhappy.
Official word from i9 re iSymphony and XactView
In spite of the fact Sangoma claims no vulnerability, after applying all current updates, FreePBX 15.0.17.64 still includes “log4j” – NOT “log4js” – in /var/www/html/admin/modules/iotserver/node/node_modules/bunyan/package.json
(though iot does also include log4js)
I have no idea if anything is actually using that package, but it is being loaded.
I don’t think that’s an include. It’s only listed in the “keywords” section. Can you say more about your concern?
Hearing no response… the answer is that log4j is not included and the listing of “log4j” as a keyword is of no concern.
@lgaetz can you* sticky this for a while? Log4j is scary stuff, and I’m sure there are plenty of people looking for this info.
Bunyan is a simple and fast JSON logging library for node.js services
The keyword @billsimon points out is here: node-bunyan/package.json at master · trentm/node-bunyan · GitHub
Keywords are used on npmjs.org for search packages. So someone can type log4j into npmjs.org and be presented with this package.
But the key thing here is that npmjs.org is for node modules. Written in JavaSCRIPT (which has NO relation to Java itself).
Bunyan is also written in pure JavaSCRIPT as well: node-bunyan/lib/bunyan.js at master · trentm/node-bunyan · GitHub
Chiming in to confirm that FOP2 and Asternic Call Center Stats do not use java in any way, hence they are not vulnerable.