SageTV Community  

Go Back   SageTV Community > SageTV Development and Customizations > SageTV Github Development

Notices

SageTV Github Development Discussion related to SageTV Open Source Development. Use this forum for development topics about the Open Source versions of SageTV, hosted on Github.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 12-11-2021, 02:48 PM
ojones ojones is offline
Sage User
 
Join Date: Dec 2005
Posts: 61
Vulnerability Log4j

Folks - does anyone know if Sage 9x (or the various web server or other plug ins) utilize a version of log4j that may have the recently announced vulnerability?
__________________
Hyper-V Host @ Dual Processor E5-2643 3.4ghz v4 HexaCore 128gb ram
Sage Server: VM w2016 x64 Guest running 9.2.x
OpenDCT & Plex Server: VM Ubuntu 16.04
Primary Client: VM W10x64 with GPU Passthrough
Reply With Quote
  #2  
Old 12-11-2021, 06:09 PM
jusjoken jusjoken is offline
SageTVaholic
 
Join Date: Dec 2005
Location: Strathmore, AB
Posts: 2,598
Quote:
Originally Posted by ojones View Post
Folks - does anyone know if Sage 9x (or the various web server or other plug ins) utilize a version of log4j that may have the recently announced vulnerability?
The version installed by the plugin is 1.2.17...which is very old. What versions are affected ?

K
__________________
If you wish to see what I am up to and support my efforts visit my Patreon page
Reply With Quote
  #3  
Old 12-11-2021, 07:31 PM
ojones ojones is offline
Sage User
 
Join Date: Dec 2005
Posts: 61
Looks like we have a problem. I grabbed the following from PaloAlto. 1.2 to 1.2.17 is implicated. I have locked inbound ports on sage until I know this is resolved. To be clear this exploit allows remote code execution with full shell access.

Excerpt follows:
"CVE-2017-5645: For Apache log4j 2.x before 2.8.2, the log4j servers will deserialize any log events received from other applications through TCP or UDP socket servers. If a crafted binary payload is being sent using this vulnerability, it can lead to arbitrary code execution.

CVE-2019-17571: For Apache log4j versions from 1.2 (up to 1.2.17), the SocketServer class is vulnerable to deserialization of untrusted data, which leads to remote code execution if combined with a deserialization gadget"



https://unit42.paloaltonetworks.com/...ve-2021-44228/
__________________
Hyper-V Host @ Dual Processor E5-2643 3.4ghz v4 HexaCore 128gb ram
Sage Server: VM w2016 x64 Guest running 9.2.x
OpenDCT & Plex Server: VM Ubuntu 16.04
Primary Client: VM W10x64 with GPU Passthrough
Reply With Quote
  #4  
Old 12-11-2021, 10:24 PM
jusjoken jusjoken is offline
SageTVaholic
 
Join Date: Dec 2005
Location: Strathmore, AB
Posts: 2,598
From the little research I just did the move from 1.2 to 2.82 affects sage core code and numerous plugins and is not just a matter of changing the available log4j jar... So I would plan this to take some time if the developers left take on all the work.

I also believe that the 1.2 vulnerability is only related if using the SimpleSocketServer class provided by log4j. I see no use of that in SageTV nor in any of my nor stuckless plugins.

Others should chime in as I do not want to be providing security advice...just providing some fact so people can be informed
K
__________________
If you wish to see what I am up to and support my efforts visit my Patreon page
Reply With Quote
  #5  
Old 12-12-2021, 07:37 AM
ojones ojones is offline
Sage User
 
Join Date: Dec 2005
Posts: 61
Ken,

I'm a few steps below you on the dev skills ladder but appreciate the insight on the use of Log4j in the code base.

I think anyone who has ports forwarded for sage may want to think about increasing firewall security for now anyway (I did) but hoping that others who have a better feel for the code will be able to confirm there is no threat here.

We use site to site vpns so our functionality loss will be limited.

Best of luck with your projects!
__________________
Hyper-V Host @ Dual Processor E5-2643 3.4ghz v4 HexaCore 128gb ram
Sage Server: VM w2016 x64 Guest running 9.2.x
OpenDCT & Plex Server: VM Ubuntu 16.04
Primary Client: VM W10x64 with GPU Passthrough
Reply With Quote
  #6  
Old 12-12-2021, 09:51 AM
jusjoken jusjoken is offline
SageTVaholic
 
Join Date: Dec 2005
Location: Strathmore, AB
Posts: 2,598
On further review, it does not look like the SageTV core products use log4j. So anyone using the base without any plugins should have no risk.

To see if any of your plugins are using log4j, go to Setup, SageTV Plugins, Installed Plugins and select the library tab... Scroll and look for 'log4j'. If it isn't installed then also no risk.

And as I stated above, I am not aware of any plugins using the vulnerable function 'SimpleSocketServer', but I am not sure of a simple way to verify that as we do not have access to all plugin code bases.

As I am doing work on new versions of Jetty, Sagex, BMT, and a number of web apps I will start to look at using log4j 2.82 where possible.

K
__________________
If you wish to see what I am up to and support my efforts visit my Patreon page
Reply With Quote
  #7  
Old 12-12-2021, 05:28 PM
alfi33 alfi33 is offline
Sage Aficionado
 
Join Date: Jun 2008
Posts: 310
Looks like I have log4j listed in Installed Plugins. When I go to uninstall it, it fails because The Movie DB Library is dependent on it...which is used by the Phoenix API plugin (which is used by Gemstone and BMT?).
__________________
Server: SageTV v9 on unRAID Docker; i5-2400; 16GB RAM; 9TB storage array; SiliconDust HDHR3
Client: Windows10; Intel Core2Duo; 4GB RAM; NVIDIA GeForce GT 1030
Client: NVIDIA ShieldTV
Client: Fire TV Stick 4K
Reply With Quote
  #8  
Old 12-12-2021, 06:26 PM
jusjoken jusjoken is offline
SageTVaholic
 
Join Date: Dec 2005
Location: Strathmore, AB
Posts: 2,598
Quote:
Originally Posted by alfi33 View Post
Looks like I have log4j listed in Installed Plugins. When I go to uninstall it, it fails because The Movie DB Library is dependent on it...which is used by the Phoenix API plugin (which is used by Gemstone and BMT?).
Yep... Thats going to be the issue as you cannot uninstall it without getting rid of the main plugin.

Again, I prefer not to give any security related advise as I will take no responsibility for any issues...but this is a two year old vulnerability and the gemstone and Phoenix plugins do not use the feature that makes it a risk. There are no solutions except block ports, don't use the plugins or wait till some of us test out upgrading log4j and decide for yourself the risk

k
__________________
If you wish to see what I am up to and support my efforts visit my Patreon page
Reply With Quote
  #9  
Old 12-13-2021, 05:42 AM
UgaData's Avatar
UgaData UgaData is offline
Sage Aficionado
 
Join Date: Sep 2005
Posts: 437
Article about the Log4j issue in The Register

https://www.theregister.com/2021/12/..._patch_issued/
__________________
"Unencumbered by the thought process"

The only constant in the Universe is change.
Reply With Quote
  #10  
Old 12-13-2021, 07:39 AM
wayner wayner is offline
SageTVaholic
 
Join Date: Jan 2008
Location: Toronto, ON
Posts: 7,396
I am not at home right now so I can't check, but I believe that Slugger's plugins, including SageAlert, SJQ, and SRE, use log4j.
__________________
New Server - Sage9 on unRAID 2xHD-PVR, HDHR for OTA
Old Server - Sage7 on Win7Pro-i660CPU with 4.6TB, HD-PVR, HDHR OTA, HVR-1850 OTA
Clients - 2xHD-300, 8xHD-200 Extenders, Client+2xPlaceshifter and a WHS which acts as a backup Sage server
Reply With Quote
  #11  
Old 12-13-2021, 09:15 AM
jusjoken jusjoken is offline
SageTVaholic
 
Join Date: Dec 2005
Location: Strathmore, AB
Posts: 2,598
Quote:
Originally Posted by wayner View Post
I am not at home right now so I can't check, but I believe that Slugger's plugins, including SageAlert, SJQ, and SRE, use log4j.
There are 29 plugins that use log4j 1.2.17

K
__________________
If you wish to see what I am up to and support my efforts visit my Patreon page
Reply With Quote
  #12  
Old 12-13-2021, 04:29 PM
Narflex's Avatar
Narflex Narflex is offline
Sage
 
Join Date: Feb 2003
Location: Redondo Beach, CA
Posts: 6,319
I looked at this already, and I think we're fine.

The version hosted for plugins is not vulnerable to the JNDI exploit. The JAR files doesn't contain the JNDI code at all.

The older version with the SimpleSocketServer exploit isn't a problem either, because that feature isn't being used.

So we should be fine.
__________________
Jeffrey Kardatzke
Google
Founder of SageTV
Reply With Quote
  #13  
Old 12-13-2021, 04:51 PM
wayner wayner is offline
SageTVaholic
 
Join Date: Jan 2008
Location: Toronto, ON
Posts: 7,396
Thanks Jeffrey!
__________________
New Server - Sage9 on unRAID 2xHD-PVR, HDHR for OTA
Old Server - Sage7 on Win7Pro-i660CPU with 4.6TB, HD-PVR, HDHR OTA, HVR-1850 OTA
Clients - 2xHD-300, 8xHD-200 Extenders, Client+2xPlaceshifter and a WHS which acts as a backup Sage server
Reply With Quote
  #14  
Old 12-14-2021, 10:42 AM
ojones ojones is offline
Sage User
 
Join Date: Dec 2005
Posts: 61
Thanks Jeffery! Your continuing engagement on Sage is extremely appreciated by all of us (and very glad to know we are in the clear).

My wife will be very happy with Sage when I reopen my ports for streaming!
__________________
Hyper-V Host @ Dual Processor E5-2643 3.4ghz v4 HexaCore 128gb ram
Sage Server: VM w2016 x64 Guest running 9.2.x
OpenDCT & Plex Server: VM Ubuntu 16.04
Primary Client: VM W10x64 with GPU Passthrough
Reply With Quote
  #15  
Old 12-14-2021, 12:07 PM
wayner wayner is offline
SageTVaholic
 
Join Date: Jan 2008
Location: Toronto, ON
Posts: 7,396
Quote:
Originally Posted by ojones View Post
My wife will be very happy with Sage when I reopen my ports for streaming!
__________________
New Server - Sage9 on unRAID 2xHD-PVR, HDHR for OTA
Old Server - Sage7 on Win7Pro-i660CPU with 4.6TB, HD-PVR, HDHR OTA, HVR-1850 OTA
Clients - 2xHD-300, 8xHD-200 Extenders, Client+2xPlaceshifter and a WHS which acts as a backup Sage server
Reply With Quote
  #16  
Old 12-16-2021, 08:21 AM
bigbill's Avatar
bigbill bigbill is offline
Sage Aficionado
 
Join Date: Dec 2006
Location: San Diego, California
Posts: 444
Does SageTV use Jlog4?

Is that being used on our systems running v9 of SageTV? Or any of the clients?
I am asking because of the vulnerabilities in it that appear to be lighting the internet on fire right now. And want to figure out a way to fix that.

Thanks, Bill
__________________
Home DVR: SageTV v9.2.2(64)
i3-6100 3.7ghz, 4GB RAM, Win10 Pro, 3 small fast SSD +1@6TB WD Blue, 1 Quad HDHR, ( OTA Winegard HD8200U, CM4221HD), 1@ STP-HD200, 1@ Nvidia Shield , 1 @ Nvidia Shield new round, 70", 55" & 40" Sony's
RV DVR: 2@SageTV v9.2.2, NUC8i5BEK 16GB, SS980Pro NVMe, 5TB Passport, 1@olderNUC, 2 Dual HDHR, , Winegard BatWing, 40", 32", 28" Sony's, Max Transit
Reply With Quote
  #17  
Old 12-16-2021, 08:30 AM
KeithAbbott KeithAbbott is offline
Sage Icon
 
Join Date: Oct 2009
Location: Southeastern Michigan
Posts: 1,322
See this post: https://forums.sagetv.com/forums/showthread.php?t=66855
__________________
Server: MSI Z270 SLI Plus ATX Motherboard, Intel i7-7700T CPU, 32GB Memory, Unraid 6.9.2, sagetvopen-sagetv-server-opendct-java11 Docker (version 2.0.6)
Tuners: 2 x SiliconDust HDHomeRun Prime Cable TV Tuners, SiliconDust HDHomeRun CONNECT 4K OTA Tuner
Clients: Multiple HD300 Extenders, Multiple Fire TV Stick 4K Max w/MiniClient
Miscellaneous: Multiple Sony RM-VLZ620 Universal Remote Controls
Reply With Quote
  #18  
Old 12-16-2021, 11:43 AM
sic0048 sic0048 is offline
Sage Icon
 
Join Date: Nov 2007
Posts: 1,379
I'm glad that Jeff feels that the bug won't effect SageTV users.

That being said, this is yet another reason to use VPNs to connect remotely to your home network instead of port forwarding. Not just for SageTV use, but any use. The days of thinking that port forwarding is adequate and safe are long gone.

There are two types of VPN services - one that you run yourself to securely connect to your local network while remote, and the other that sends all of your home network traffic through a free/paid VPN service in an effort to keep your location and data private. I am speaking of the first kind of VPN service - the one that you will host yourself and use to connect while offsite. Most network gear/routers can host the VPN service needed to run your own connections. I was always hesitant to use VPNs because I thought the learning curve to use them was too great. That simply isn't true. Setting up and using a VPN connection is not hard and well within the reach of any SageTV users.

I'd recommend that if you are not using a VPN connection currently, that you do a Google search with your router's name and "VPN" to find a how-to-guide to set one up.

Other than trying to connect with a HD100/200/300, there really shouldn't be any device that can't connect through a VPN to your SageTV server. Computer clients can certainly use VPN and even most streaming sticks can have a VPN app loaded onto it. You just open the VPN connection using the VPN app before opening the SageTV viewer and trying to connect. It's pretty easy. I have a ShieldTV that has a VPN app on it that makes it a perfect "travel" device. I can take it anywhere and connect to my SageTV server behind my VPN connection without any hassle and do so knowing that my home network is as safe/protected as possible without any unsecure port forwarding. Plus, it's actually easier to use the device with the VPN service because I use the same SageTV server address whether I'm at home or away from home. The VPN connection makes it appear that my ShieldTV is connected to the local network, so using the local SageTV server address works even when I am offsite. I keeps me from having to have two SageTV servers set up in the streaming device and having to choose which one to use depending on my location.
__________________
i7-6700 server with about 10tb of space currently
SageTV v9 (64bit)
Ceton InfiniTV ETH 6 cable card tuner (Spectrum cable)
OpenDCT
HD-300 HD Extenders (hooked to my whole-house A/V system for synched playback on multiple TVs - great during a Superbowl party)
Amazon Firestick 4k and Nvidia Shield using the MiniClient
Using CQC to control it all

Last edited by sic0048; 12-16-2021 at 11:59 AM.
Reply With Quote
  #19  
Old 12-22-2021, 05:22 PM
timg11's Avatar
timg11 timg11 is offline
Sage Aficionado
 
Join Date: Sep 2008
Posts: 472
log4j and SageTV?

I've been reading about log4j vulnerabilities, and noticed that I have log4j 1.2.17 by stuckless as a plugin. There is also Simple Logging Facade Log4J Implementation Library.

Should I be concerned?

I tried to uninstall, but Infopopup Caller ID (v7.0.4) depends on it. Come to think of it I haven't seen any CID pop ups in a while (but don't have many land line calls either).

ps - thanks to whoever moved my post onto this thread. I don't know how I missed it!

It appears that CallerID no longer works anyway, so I'll just remove it.
__________________
HD300 extender with (2020 New Build) SageTV 64 bit V9.2.2.903 (service mode), Running on Windows 10 (64 bit), Intel Core i7-10700K CPU, 16G RAM, GIGABYTE Z490 UD motherboard. NVidia GTX1650 Super; Viewsonic LCD on one output and Mitsubishi WD57734 HDTV via DVI/HDMI on other output. HDHomeRun HDHR5-4US tuner, Hauppauge "Siena" 1512 HD-PVR2 connected to Cisco Cable modem from Spectrum, tuned with USB-UIRT.

Last edited by timg11; 12-22-2021 at 06:00 PM.
Reply With Quote
Reply

Tags
java


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
vBulletin Security Vulnerability ranger General Discussion 0 11-04-2015 06:23 AM


All times are GMT -6. The time now is 11:43 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2022, vBulletin Solutions Inc.
Copyright 2003-2005 SageTV, LLC. All rights reserved.