Ian Schmidt
Bronze Partner
Intermediate Cert.
- Joined
- Dec 10, 2021
- Messages
- 1
- Reaction score
- 1
- Dec 10, 2021
- #1
Hello,
Can we get a statement from 3CX on CVE-2021-44228? Is the system affected by this vulnerability? If not, great! If so, is a patch coming and will action be required on the part of Administrators.
Thanks,
Ian
Reactions:
ckrammerflorink
Forum User
- Joined
- Feb 8, 2018
- Messages
- 189
- Reaction score
- 79
- Dec 10, 2021
- #2
I don't believe 3CX is using anything JAVA related...
jcostlow
Silver Partner
Advanced Certified
- Joined
- Jul 11, 2020
- Messages
- 394
- Reaction score
- 152
- Dec 10, 2021
- #3
I believe that plugin is only for Apache. 3CX uses nginx so it shouldn't be affected.
Reactions:
cobaltitckrammer
Customer
- Joined
- Dec 3, 2020
- Messages
- 40
- Reaction score
- 19
- Dec 13, 2021
- #4
Log4j is part of a lot of components, I updated all my linux servers to the newest packages, except for 3CX as of now. We need an official statement if we can (have to?) update the Debian base system to avoid any risks.
Bucher Admin
Premier Customer
- Joined
- Dec 13, 2021
- Messages
- 2
- Reaction score
- 2
- Dec 13, 2021
- #5
jcostlow said:
I believe that plugin is only for Apache. 3CX uses nginx so it shouldn't be affected.
I would say it is the wrong time to just believe jcostlow!
As ckrammer said we need a clear and official statement.
Our security tools already went on alarm that the nginx.exe is communicating with malicious IPs.
Examples:
23.129.64.131
185.220.100.253
virustotal also classifies these addresses as vulnerable.
So to me it clearly looks like nginx.exe is using the log4j functionality and is affected!
Reactions:
ckrammerZorgNed - JDooge
Free User
- Joined
- Jul 11, 2019
- Messages
- 33
- Reaction score
- 5
- Dec 13, 2021
- #6
jcostlow said:
I believe that plugin is only for Apache. 3CX uses nginx so it shouldn't be affected.
This is absolutely false information. Log4j has nothing to do with Apache httpd (web server).
That being said, 3CX doesn't seem to use any Java at least in our local Debian-based appliance and I found no traces of Log4J being installed on it.
pj3cx
- Joined
- Aug 1, 2013
- Messages
- 760
- Reaction score
- 264
- Dec 13, 2021
- #7
Hello all,
Thanks for raising concerns, let's clear this out: we are indeed not using any Java in the 3cx System and confirmed with our Product team that we have no dependencies with Log4j library so aren't affected by this vulnerability.
@Bucher Admin this means your 3cx HTTPS port was contacted by those IP addresses that are probably scanning for vulnerable hosts to hack but it's a dead end in our case.
Reactions:
RCT-CP, jed, TagleRock and 7 othersBucher Admin
Premier Customer
- Joined
- Dec 13, 2021
- Messages
- 2
- Reaction score
- 2
- Dec 13, 2021
- #8
pj3cx said:
Hello all,
Thanks for raising concerns, let's clear this out: we are indeed not using any Java in the 3cx System and confirmed with our Product team that we have no dependencies with Log4j library so aren't affected by this vulnerability.@Bucher Admin this means your 3cx HTTPS port was contacted by those IP addresses that are probably scanning for vulnerable hosts to hack but it's a dead end in our case.
Thank you very much for this official information.
Have a good day Pierre.
Kind regards,
Christian
Reactions:
jedHiroNikuyama
Bronze Partner
- Joined
- Jul 20, 2020
- Messages
- 77
- Reaction score
- 7
- Dec 13, 2021
- #9
pj3cx said:
Hello all,
Thanks for raising concerns, let's clear this out: we are indeed not using any Java in the 3cx System and confirmed with our Product team that we have no dependencies with Log4j library so aren't affected by this vulnerability.@Bucher Admin this means your 3cx HTTPS port was contacted by those IP addresses that are probably scanning for vulnerable hosts to hack but it's a dead end in our case.
Hi thanks for the "official" statement.
Now let us clarify if ghis is applicable to 3cx windows client(ver.16, ver1.8), mobile apps(Android/iOS) as well?
pj3cx
- Joined
- Aug 1, 2013
- Messages
- 760
- Reaction score
- 264
- Dec 13, 2021
- #10
@HiroNikuyama we've checked also the 3cx windows client, Desktop application, Android app, iOS app and they don't have any dependency to this library, so all are safe.
Reactions:
PhilK, LucaFds, ChrisC_3CX and 2 othersHiroNikuyama
Bronze Partner
- Joined
- Jul 20, 2020
- Messages
- 77
- Reaction score
- 7
- Dec 13, 2021
- #11
pj3cx said:
@HiroNikuyama we've checked also the 3cx windows client, Desktop application, Android app, iOS app and they don't have any dependency to this library, so all are safe.
Good! thanks for the detailed info!
Reactions:
ChrisC_3CXtnib_brainy
Silver Partner
Basic Certified
- Joined
- Jul 14, 2015
- Messages
- 2
- Reaction score
- 0
- Dec 14, 2021
- #12
I made some analysis today and found traces of log4j in the File /usr/lib/3cxpbx/NLog.dll
log4jDateBase
log4jxmlevent
bcmike3223
Platinum Partner
- Joined
- Oct 5, 2021
- Messages
- 1
- Reaction score
- 0
- Dec 15, 2021
- #13
tnib_brainy said:
I made some analysis today and found traces of log4j in the File /usr/lib/3cxpbx/NLog.dll
log4jDateBase
log4jxmlevent
I'm not an expert but I believe this is so that Nlog can send and receive messages to a remote log4J application. Again, this is just a guess!
Tanner Chartier
Gold Partner
Basic Certified
- Joined
- May 22, 2018
- Messages
- 1
- Reaction score
- 0
- Dec 15, 2021
- #14
Found this thread after getting a positive result with one of our scanners, Network Detective by RapidFire Tools that seems to point at a 3CX install on Linux as being vulnerable on port 5900. Not sure what to make of it.
meteoviva_it
Customer
- Joined
- Dec 15, 2021
- Messages
- 1
- Reaction score
- 0
- Dec 15, 2021
- #15
3CX Phone System on Linux (Debian in our case) does not ship with any apache components.
pj3cx
- Joined
- Aug 1, 2013
- Messages
- 760
- Reaction score
- 264
- Dec 15, 2021
- #16
Hi, @Tanner Chartier, looks like a false positive but I'll PM you so we can double check with your tool.
v3n0x1984
Free User
- Joined
- Dec 16, 2021
- Messages
- 1
- Reaction score
- 1
- Dec 16, 2021
- #17
Hi @pj3cx and? It was a false positive?
Reactions:
mcbsystemsDaniel Crafts
Gold Partner
Advanced Certified
- Joined
- Nov 5, 2018
- Messages
- 31
- Reaction score
- 2
- Dec 17, 2021
- #18
Hi @pj3cx
what is the result of your check with @Tanner Chartier ?
BR,
Daniel
pj3cx
- Joined
- Aug 1, 2013
- Messages
- 760
- Reaction score
- 264
- Dec 17, 2021
- #19
Hello,
I have not received any reply from the gentleman but our internal checks confirms that there is no such vulnerability in the products. In particular, nothing happens when throwing java strings to our ports...
@tnib_brainy about NLog.dll, it's a standard .NET library used for logging, it does have 2 "Log4j" strings in it which are functions names meant to format some outputs in the same manner for interoperability purposes, but in no way this means the vulnerable Log4j library is statically or dynamically loaded in it. The two libraries are not related. You can also refer to their site or github for more info.
Reactions:
LucaFds, FridayIT, v3n0x1984 and 3 othersBenedikt Machens
Titanium Partner
Advanced Certified
- Joined
- Feb 14, 2018
- Messages
- 247
- Reaction score
- 171
- Dec 17, 2021
- #20
pj3cx said:
Hello,
I have not received any reply from the gentleman but our internal checks confirms that there is no such vulnerability in the products. In particular, nothing happens when throwing java strings to our ports...@tnib_brainy about NLog.dll, it's a standard .NET library used for logging, it does have 2 "Log4j" strings in it which are functions names meant to format some outputs in the same manner for interoperability purposes, but in no way this means the vulnerable Log4j library is statically or dynamically loaded in it. The two libraries are not related. You can also refer to their site or github for more info.
Just to underline this via a simple github search -> https://github.com/NLog/NLog/search?q=log4j
Most occurrences of "log4j" are in comment lines. "log4j is commonly used" and not "log4j is everywhere" 
