amazon-connect/amazon-connect-realtime-transcription

Java realtime transcription function contains insecure version of Log4J

dax-hurley opened this issue · 10 comments

dax-hurley commented

Disclaimer: I am not a Java dev, this is the best description of the problem and solution I can create based off my research, I may be wrong about some details, or its completely possible I am totally off base on multiple aspects. My hope is that the information below is at least somewhat useful in fixing this issue as quickly as possible.

Problem

No doubt the maintainers of this project are at this point aware of CVE-2021-44228, AKA the Log4j vulnerability. The most recent version of this package makes use of slf4j-log4j12 version 1.7.24 uses an insecure version of log4j as a downstream dependency. Notably, the dependency 'amazon-kinesis-video-streams-parser-library' is also outdated (v1.0.15) and the version in use also contains slf4j bindings and an outdated version of log4j. This causes the function to log:

SLF4J: Class path contains multiple SLF4J bindings.

when run.

This vulnerability could theoretically allow arbitrary Java code execution within the Lambda function and in turn lead to an attacker accessing other resources in the AWS environment that the function has access to. As far as I can see it's unlikely that an attacker could devise a way to exploit this vulnerability over an Amazon Connect IVR. As far as I'm aware the only instance where the function logs user input is when it logs the real time transcript, which would be be quite difficult to use for an exploit, if exploited however it represents a significant security risk so this needs to be patched as quickly as possible.

Solution

  1. Upgrade to the latest version of the 'amazon-kinesis-video-streams-parser-library'.
  2. Exclude log4j and the slf4j bindings from downstream dependencies of 'amazon-kinesis-video-streams-parser-library'. Maven instructions specific to slf4j. Gradle Instructions. Or if switching to a different logging provider use 'log4j-over-slf4j' instead..
  3. Force the use of the latest version of log4j as a downstream dependency, or switch to a different logging provider and use different slf4j bindings.
oliverzhou82 commented

As the official repo still uses v1 . We would be inclined to stick with the official version rather than branching off on our own. Otherwise when AWS changes it to add a new feature we will be stuck with a merging job or stuck with the old version. And it's having impact on our multiple clients.

angieyu commented

This has been addressed by PR #66

Please build and deploy the project again. Let us know how it goes.

angieyu commented

Please note that, at the time of writing this comment, v1.1.0 of amazon-kinesis-video-streams-parser-library was still not available on Maven, hence you would need to clone https://github.com/aws/amazon-kinesis-video-streams-parser-library first, and run mvn clean install to build v1.1.0 of amazon-kinesis-video-streams-parser-library. Once completed, run the build.

oliverzhou82 commented

image

Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.jar (502 kB at 913 kB/s)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:15 min
[INFO] Finished at: 2021-12-21T13:34:34+11:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.projectlombok:lombok-maven-plugin:1.18.16.0:delombok (delombok) on project amazon-kinesis-video-streams-parser-library: Execution delombok of goal org.projectlombok:lombok-maven-plugin:1.18.16.0:delombok failed: An API incompatibility was encountered while executing org.projectlombok:lombok-maven-plugin:1.18.16.0:delombok: java.lang.IllegalAccessError: class lombok.delombok.Delombok (in unnamed module @0x75120e58) cannot access class com.sun.tools.javac.tree.JCTree$JCCompilationUnit (in module jdk.compiler) because module jdk.compiler does not export com.sun.tools.javac.tree to unnamed module @0x75120e58
[ERROR] -----------------------------------------------------
[ERROR] realm = plugin>org.projectlombok:lombok-maven-plugin:1.18.16.0
[ERROR] strategy = org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy
[ERROR] urls[0] = file:/Users/jingjinli/.m2/repository/org/projectlombok/lombok-maven-plugin/1.18.16.0/lombok-maven-plugin-1.18.16.0.jar
[ERROR] urls[1] = file:/Users/jingjinli/.m2/repository/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.jar
[ERROR] urls[2] = file:/Users/jingjinli/.m2/repository/org/projectlombok/lombok/1.18.16/lombok-1.18.16.jar
[ERROR] urls[3] = file:/Users/jingjinli/.m2/repository/org/sonatype/plexus/plexus-build-api/0.0.7/plexus-build-api-0.0.7.jar
[ERROR] urls[4] = file:/Users/jingjinli/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.8/plexus-utils-1.5.8.jar
[ERROR] Number of foreign imports: 1
[ERROR] import: Entry[import from realm ClassRealm[maven.api, parent: null]]
[ERROR]
[ERROR] -----------------------------------------------------
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginContainerException

just saying after mvn clean install, got these error after donwloading lombok-maven-plugin:1.18.16.0:delombok

Jingjing512 commented

@angieyu can you help to review the error above and provide solution to fix it?
we are trying to run mvn clean install to build v1.1.0 of amazon-kinesis-video-streams-parser-library, but get this error and cannot move futher. thanks.

angieyu commented

Hi, I have discovered that if I install Java version 12 from brew, I can run mvn clean install successfully. These were the steps I took. @oliverzhou82 @Jingjing512

brew tap AdoptOpenJDK/openjdk
brew install adoptopenjdk12 --cask
/usr/libexec/java_home -V (to get Java version for the next step)
export JAVA_HOME=`/usr/libexec/java_home -v 12.0.2`
java -version
mvn clean install

Java version 16 also worked for my coworker.

Jingjing512 commented

Hi @angieyu thanks for your reply, with your commands, mvn clean install successfully.
and later run gradle build but need to install gradle v6, with latest gradle will get error.

sidbenac commented

In my lambda I have this kvsTranscriber function, which I need to update to fix the log4j insecure version, how can I get a newer version without re-compile the whole project, as it is in production today thank you

dfw100 commented

@sidbenac you would need to build the KVS Transcriber project and then deploy Lambda function with .zip file archive as described here.

dfw100 commented

The source code is patched with the following versions of affected dependencies.
amazon-kinesis-video-streams-parser-library version to 1.1.0
org.slf4j:slf4j-api to 1.7.32
org.slf4j:slf4j-log4j12 to 1.7.32