Updated December 15, 2021: ConnectALL's security team has confirmed that following the below procedure is the only option to eliminate this vulnerability. You could follow this procedure or consider upgrading to the new version that contains the fix for the log4j vulnerability issue. The vulnerability does not exist in version 2.10.26.4 and later.

Versions Affected

  • ConnectALL version 2.9.0 (released December 2018) through 2.10.26.3. 
  • ConnectALL versions older than 2.9.0 may also be affected if other updates to the default configuration have been made (which is likely given how long it's been)

ConnectALL recommends following this procedure regardless of which version of ConnectALL is installed. If the subject files (log4j-core*.jar) do not exist on the filesystem, then this procedure does not apply.

Vulnerability Elimination for Windows

Remove JndiLookup.class from the log4j core jar file with the following procedure:

  1. Stop the ConnectALL core service.
  2. Find the directories containing log4j-core*.jar. This will minimally be the following:
    1. %CONNECTALL_HOME%\..\apps\ConnectAll-*\lib
    2. %CONNECTALL_HOME%\..\lib\boot
  3. Chose one of these alternatives:
    1. If your Windows installation has the zip command, execute the below command in each of those directories:
      zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    2. Alternatively, you may temporarily rename the jar file as a zip then delete the JndiLookup.class file from the path org\apache\logging\log4j\core\lookup using Windows Explorer.
    3. Or, copy the jar to a temp location (e.g. C:\Users\Administrator\Desktop\log4j) and in the Powershell, execute the following commands:
      cd C:\Users\Administrator\Desktop\log4j
      jar -xvf .\log4j-core-2.8.2.jar
      rm org/apache/logging/log4j/core/lookup/JndiLookup.class
      rm .\log4j-core-2.8.2.jar
      jar -cvf log4j-core-2.8.2.jar *
      With a clean temp directory, do the same for the other log4j-core-2.12.0 jar.
      Replace the jars on the MULE_HOME directory with the respective jars created above.
  4. Restart the ConnectALL core service.

Verification

If you wish to double check that the vulnerable class has indeed been removed, you do do the following in a command prompt (not Powershell):

cd %mule_home%
for /r %i in (log4j-core*.jar) do jar -tvf %i | findstr JndiLookup.class

Expected output if still vulnerable:

C:\ConnectALL\mulesoft\mule-standalone-3.9.0>for /r %i in (log4j-core*.jar) do jar -tvf %i | findstr JndiLookup.class

C:\ConnectALL\mulesoft\mule-standalone-3.9.0>jar -tvf C:\ConnectALL\mulesoft\mule-standalone-3.9.0\apps\ConnectAll-2.10.25.Rb3ceec02bc056401955ba937354ddffc2eea1338\lib\log4j-core-2.12.0.jar   | findstr JndiLookup.class
  2892 Tue Jun 25 20:37:02 PDT 2019 org/apache/logging/log4j/core/lookup/JndiLookup.class

C:\ConnectALL\mulesoft\mule-standalone-3.9.0>jar -tvf C:\ConnectALL\mulesoft\mule-standalone-3.9.0\lib\boot\log4j-core-2.8.2.jar   | findstr JndiLookup.class
  2974 Sun Apr 02 15:24:22 PDT 2017 org/apache/logging/log4j/core/lookup/JndiLookup.class

Expected output if not vulnerable:

C:\ConnectALL\mulesoft\mule-standalone-3.9.0>for /r %i in (log4j-core*.jar) do jar -tvf %i | findstr JndiLookup.class

C:\ConnectALL\mulesoft\mule-standalone-3.9.0>jar -tvf C:\ConnectALL\mulesoft\mule-standalone-3.9.0\apps\ConnectAll-2.10.25.Rb3ceec02bc056401955ba937354ddffc2eea1338\lib\log4j-core-2.12.0.jar   | findstr JndiLookup.class

C:\ConnectALL\mulesoft\mule-standalone-3.9.0>jar -tvf C:\ConnectALL\mulesoft\mule-standalone-3.9.0\lib\boot\log4j-core-2.8.2.jar   | findstr JndiLookup.class

C:\ConnectALL\mulesoft\mule-standalone-3.9.0>

Vulnerability Elimination for Linux

Affected log4j jars are located on the following paths:

$MULE_HOME/lib/boot/log4j-core-2.8.2.jar
$MULE_HOME/apps/ConnectAll-*/lib/log4j-core-2.12.0.jar

Execute the following commands:

systemctl stop mule
cd $MULE_HOME/lib/boot
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
chown mule:connectall log4j-core-*.jar
cd $MULE_HOME/apps/ConnectAll-*/lib
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
chown mule:connectall log4j-core-*.jar
systemctl start mule

Verification

If you wish to double check that the vulnerable class has indeed been removed, you do do the following:

cd $MULE_HOME
for fn in `find . -name "log4j-core*.jar"` ;do jar -tvf $fn | grep JndiLookup.class;done

Expected output if still vulnerable:

  2892 Tue Jun 25 20:37:02 PDT 2019 org/apache/logging/log4j/core/lookup/JndiLookup.class
  2974 Sun Apr 02 15:24:22 PDT 2017 org/apache/logging/log4j/core/lookup/JndiLookup.class

Expected output if not vulnerable:

No JndiLookup.class files will be listed.

Q&A

  • Is there any indication in the logs of there having been a successful exploit? No.  

References