Resolve and the log4j exploit?

Get answers to your questions about color grading, editing and finishing with DaVinci Resolve.
  • Author
  • Message
Offline
User avatar

Henrik Cednert

  • Posts: 125
  • Joined: Wed Aug 29, 2012 6:21 pm

Resolve and the log4j exploit?

PostWed Dec 15, 2021 5:23 am

I can see traces on the forum of Resolve using log4j to some extent. Have any one heard anything from BM if Resolve, or other BM products, are affected? They did a very cryptic tweet with little to no info about a security issue (https://twitter.com/Blackmagic_News/sta ... 4646439937) .

Maybe someone from BM can clarify? :roll:
Henrik Cednert | cto | cbb | Filmlance International | www.filmlance.se
Offline
User avatar

TheBloke

  • Posts: 1905
  • Joined: Sat Nov 02, 2019 11:49 pm
  • Location: UK
  • Real Name: Tom Jobbins

Re: Resolve and the log4j exploit?

PostWed Dec 15, 2021 7:59 am

I just did some brief research and so far as I can tell, Resolve shouldn't be vulnerable to the log4j exploit because Resolve uses log4cxx, and that does not suffer from the same vulnerability. The log4j exploit is in the JNDI receiver, which is unique to Java.

Here for example is a statement from the makers of Cerberus FTP, stating that their product - which uses log4cxx - isn't and couldn't be vulnerable: https://support.cerberusftp.com/hc/en-u ... nerability

"Cerberus is not and cannot be affected by CVE-2021-44228, log4j 0-day vulnerability. Cerberus FTP Server does not use the vulnerable Java log4j library, but a similar C++ rewrite called Log4cxx. The Log4cxx library is patterned after log4j, but the two libraries are fundamentally different and do not share any code."


Of course, no-one should take my word on this on matters of security - contact BMD directly if you're concerned, etc etc. Really BMD should put out their own statement, as Cerberus did.

No idea what the security vulnerability mentioned in the tweet might be. That's an incredibly useless tweet.
Resolve Studio 17.4.3 and Fusion Studio 17.4.3 on macOS 11.6.1

Hackintosh:: X299, Intel i9-10980XE, 128GB DDR4, AMD 6900XT 16GB
Monitors: 1 x 3840x2160 & 3 x 1920x1200
Disk: 2TB NVMe + 4TB RAID0 NVMe; NAS: 36TB RAID6
BMD Speed Editor
Offline

Yandrix

  • Posts: 1
  • Joined: Wed Dec 15, 2021 8:32 am
  • Real Name: Marco Waldmann

Re: Resolve and the log4j exploit?

PostWed Dec 15, 2021 8:36 am

What I found using a log4j-scanner (https://github.com/hillu/local-log4j-vu ... r/releases):
c:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\Libraries\Photon.jar (org/apache/log4j/net/SocketNode.class): log4j 1.2.17

This version should not be vulnerable.
Offline
User avatar

TheBloke

  • Posts: 1905
  • Joined: Sat Nov 02, 2019 11:49 pm
  • Location: UK
  • Real Name: Tom Jobbins

Re: Resolve and the log4j exploit?

PostWed Dec 15, 2021 8:46 am

I have a theory that whatever this mystery exploit is, it was in the Qt library.

We know that the Qt library was upgraded in version 17.4 (causing even more display scaling issues for Windows users). I just checked the versions installed in 17.3.2 versus 17.4, and found that:

- Fusion Studio and Resolve Studio 17.3.2 (and earlier) used Qt 5.4.1
- Fusion Studio and Resolve Studio 17.4+ use Qt 5.15.2

Checking the CVE database, there's a large number of Qt vulnerabilities that affect Qt versions prior to 5.15.2. I won't list them all because there's dozens, but here's a list: https://www.cvedetails.com/vulnerabilit ... 63/QT.html

The most severe exploits listed are CVE-2020-12267 which affects Qt versions prior to 5.14.2 and CVE-2018-19873 which affects Qt versions prior to 5.11.3.

So the tweet could be referring to any of those - or all of those.

Or it might be something else entirely, in some other library that got upgraded, or in Resolve itself. Who knows, when the information provided is so inadequate.

At least it's good to see that Resolve and Fusion Studio are finally using a supported version of Qt again (support for 5.4 ended in July 2017 - four years and three months before BMD stopped using it ;) )
Resolve Studio 17.4.3 and Fusion Studio 17.4.3 on macOS 11.6.1

Hackintosh:: X299, Intel i9-10980XE, 128GB DDR4, AMD 6900XT 16GB
Monitors: 1 x 3840x2160 & 3 x 1920x1200
Disk: 2TB NVMe + 4TB RAID0 NVMe; NAS: 36TB RAID6
BMD Speed Editor
Offline
User avatar

TheBloke

  • Posts: 1905
  • Joined: Sat Nov 02, 2019 11:49 pm
  • Location: UK
  • Real Name: Tom Jobbins

Re: Resolve and the log4j exploit?

PostWed Dec 15, 2021 5:47 pm

Yandrix wrote:What I found using a log4j-scanner (https://github.com/hillu/local-log4j-vu ... r/releases):
c:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\Libraries\Photon.jar (org/apache/log4j/net/SocketNode.class): log4j 1.2.17

This version should not be vulnerable.
Ah, good catch. So they do bundle log4j, but as part of a supplementary library. And this was not updated in 17.4 (hasn't been updated for many years it looks like.)

I am still pretty sure the mystery vulnerability tweet was Qt related.
Resolve Studio 17.4.3 and Fusion Studio 17.4.3 on macOS 11.6.1

Hackintosh:: X299, Intel i9-10980XE, 128GB DDR4, AMD 6900XT 16GB
Monitors: 1 x 3840x2160 & 3 x 1920x1200
Disk: 2TB NVMe + 4TB RAID0 NVMe; NAS: 36TB RAID6
BMD Speed Editor
Offline

Noerde

  • Posts: 110
  • Joined: Tue Mar 30, 2021 12:37 pm
  • Real Name: Panu Artimo

Re: Resolve and the log4j exploit?

PostWed Dec 15, 2021 6:50 pm

TheBloke wrote:Ah, good catch. So they do bundle log4j, but as part of a supplementary library. And this was not updated in 17.4 (hasn't been updated for many years it looks like.)

I am still pretty sure the mystery vulnerability tweet was Qt related.


maybe this one https://github.com/Netflix/photon
Offline

Olaf at BMForum

  • Posts: 37
  • Joined: Fri Jul 26, 2019 3:39 pm
  • Real Name: Olaf Bürger

Re: Resolve and the log4j exploit?

PostSat Dec 18, 2021 7:20 pm

What Versions of Log4j are Affected?
All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
Has Apache Released a Fix for CVE-2021-45046?
Yes. In response to the issue, Apache Log4j 2.16.0 was released for Java 8 and up and 2.12.2 for Java 7.


Source of the information:
https://www.fortiguard.com/threat-signa ... of-service

Therefore this one was only referring the old log4shell not the new one
https://www.slashcam.com/news/single/Bl ... 16939.html

Blackmagic should give us some answers!
Offline

lost_soul

  • Posts: 239
  • Joined: Fri May 31, 2019 12:30 am
  • Location: Vancouver
  • Real Name: Shawn Metheny

Re: Resolve and the log4j exploit?

PostSun Dec 19, 2021 11:12 pm

Unless you have your copy of resolve listening on the internet some how so people can send attacks to it you are not vulnerable to any thing. The Log4J issue is a big problem for things like apache servers because computers can attach to the listening web server and send it specially designed instructions. That is not how resolve is used.
Centos 8
RX 580
AMDGPU-pro
Studio (What ever the latest is)
Offline
User avatar

TheBloke

  • Posts: 1905
  • Joined: Sat Nov 02, 2019 11:49 pm
  • Location: UK
  • Real Name: Tom Jobbins

Re: Resolve and the log4j exploit?

PostMon Dec 20, 2021 8:01 am

Noerde wrote:maybe this one https://github.com/Netflix/photon
Yes you're right, it's that.
lost_soul wrote:Unless you have your copy of resolve listening on the internet some how so people can send attacks to it you are not vulnerable to any thing. The Log4J issue is a big problem for things like apache servers because computers can attach to the listening web server and send it specially designed instructions. That is not how resolve is used.
Yeah. How would you exploit it remotely? There's no webserver allowing remote access to Resolve.

And even if it were somehow accessible remotely, Log4J 1.x is only affected by one of the Log4J vulnerabilities (CVE-2021-4104), which has the following details:

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.

JMSAppender is not used in the Photon.jar config which, as it says, is not default log4j config, and regardless the exploit also requires write access to the log4j configuration.

Resolve is not affected by the Log4J exploit(s), for several different reasons.

What bug it WAS affected by - what that mystery tweet was about - is a different question. As I theorised before, they may well have been referring to the many Qt issues that got resolved when they upgraded from Qt 5.4.1 to 5.15.2.

But BMD are refusing to clarify, which is pretty bad.
Resolve Studio 17.4.3 and Fusion Studio 17.4.3 on macOS 11.6.1

Hackintosh:: X299, Intel i9-10980XE, 128GB DDR4, AMD 6900XT 16GB
Monitors: 1 x 3840x2160 & 3 x 1920x1200
Disk: 2TB NVMe + 4TB RAID0 NVMe; NAS: 36TB RAID6
BMD Speed Editor
Offline
User avatar

roger.magnusson

  • Posts: 3217
  • Joined: Wed Sep 23, 2015 4:58 pm

Re: Resolve and the log4j exploit?

PostSat Jan 01, 2022 3:30 am

Regarding the patch that BMD released, the third party that found the exploits in Resolve (Talos, part of Cisco) has posted about it. The issues were in the DPDecoder service that uses the R3D SDK to decode/debayer RED raw files. Not related to log4j.

Vulnerability Spotlight: Vulnerabilities in DaVinci Resolve video editing software could lead to code execution

TALOS-2021-1426 (CVE-2021-40417)
TALOS-2021-1427 (CVE-2021-40418)

Return to DaVinci Resolve

Who is online

Users browsing this forum: Axentium, Bing [Bot], cyberphile, Google [Bot], Jmillet55, Josef Pöllmann, SZubal, Tony Greenwood, whatsreallygood and 109 guests