Notice on the Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228)

Vulnerability Description

Apache Log4j2 has a remote code execution vulnerability (CVE-2021-44228). When Apache Log4j2 processes user input during log processing, attackers can construct special requests to trigger remote code execution. The POC has been disclosed and the risk is high. For details, see Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228).

Vulnerability Impact

Apache Log4j2 is used in Fabric_SDK_Gateway_Java and Fabric_SDK_Java provided by BCS (for encryption using OSCCA-published cryptographic algorithms) and those provided by Hyperledger Fabric. It is also used in the corresponding demos App_Gateway_Java_Demo, App_Java_Src_Demo, and App_Java_Jar_Demo.

The vulnerability in these components has been fixed in the CN North-Beijing4 region. If you use these components, go to the BCS console, switch to the CN North-Beijing4 region, obtain the latest version from Use Cases, and perform an upgrade as soon as possible. Before the vulnerability is fixed in your blockchain application, ensure that the input source of your blockchain application is trusted.

Vulnerability Fixing

Upgrade Fabric_SDK_Gateway_Java, Fabric_SDK_Java, and Apache Log4j2 to the latest versions.

The fixed Fabric_SDK_Gateway_Java and Fabric_SDK_Java can be obtained from the Use Cases module in the CN North-Beijing4 region. For details about how to use these SDKs, see Using SDKs.