Hello Martijn,
I found the following posting, that version 1.x may be affected,too, but in a different way (only LDAP based?):
https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
Since the Pro version supports LDAP certificat lookups, could this be a problem?
Best wishes,
Stefan
-----Ursprüngliche Nachricht-----
> Von: Martijn Brinkers via Users <users(a)lists.ciphermail.com>
> Gesendet: Montag 13. Dezember 2021 8:34
> An: users(a)lists.ciphermail.com
> CC: ricky.boone(a)gmail.com; Martijn Brinkers <martijn(a)ciphermail.com>
> Betreff: [CipherMail User] Re: Apache log4j vulnerability, CVE-2021-44228
>
> Hi Ricky,
>
> CipherMail Gateway and Webmail Messenger are *not* vulnerable to
> CVE-2021-44228 because an older version of log4j (1.2) is used which
> does not contain the (vulnerable) lookup functionality.
>
> When we became aware, a few hours after the details were posted, that
> log4j was exploitable, we analyzed the exploit and concluded that
> CipherMail was not vulnerable.
>
> CipherMail uses version 1.2.15 of the log4j library. This version is
> still widely deployed. It is true that version 1.x of log4j is no
> longer supported, however we always analyze any impact of a published
> exploit to see whether a CipherMail product is impacted or not. We are
> not aware of any vulnerabilities in the default configuration of 1.x as
> used by CipherMail.
>
> We will further analyze whether we upgrade to a newer version of log4j
> or use a different logging library instead.
>
> Kind regards,
>
> Martijn Brinkers
>
>
> On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote:
> > Apache log4j has a critical zero day vulnerability (CVSS score of
> > 10), CVE-2021-44228.
> >
> > https://logging.apache.org/log4j/2.x/security.html
> > https://nvd.nist.gov/vuln/detail/CVE-2021-44228
> > https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-442…
> >
> > The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon
> > a cursory check, Ciphermail appears to use log4j 1.2.15, which while
> > end of life and potentially vulnerable to other threats, shouldn't be
> > vulnerable to this specific flaw. As a result, the mitigating
> > controls may not be applicable or necessary.
> >
> > Thoughts, or discussion?
> --
> CipherMail email encryption
> Email encryption with support for S/MIME,
> OpenPGP, PDF Messenger and Webmail Messenger
>
>
Hello,
we have a problem with the feedback of PDF passwords to the sender.
If we have a recipient or multiple recipients via BCC, everything is fine.
However, if 2 recipients are named as CC, then the notification is no longer correct.
Both recipients are then named in the e-mail, but the second recipient receives the same password as
the first to appear.
How do we have to change it so that the passwords are correct?
Our template looks like this:
<#assign passwords = mail.getAttribute("djigzo.encryptedPasswords")>
<#assign emails = passwords?keys>
<#list emails as email>
<#assign pwc = passwords[email]>
</#list>
<#list mail.recipients as recipient>
</#list>
Ihre Nachricht (ID: ${pwc.passwordID}) mit dem Betreff: ${qp(subject!"")}
<#list mail.recipients as recipient>
wurde verschlüsselt an den Empfänger übertragen: (${qp(recipient)}) , das Passwort ist: ${pwc.password}
</#list>
<#assign passwords = mail.getAttribute("djigzo.encryptedPasswords")>
<#assign emails = passwords?keys>
<#list emails as email>
<#assign pwc = passwords[email]>
</#list>
Bitte teilen Sie dem Empfänger das Passwort auf anderem Wege (z.B. telefonisch) mit.
Mit freundlichen Grüßen
[cid:image001.png@01D7EA72.95BFB820]<http://www.wizard.de/default.cfm?mid=25603>
Ralf Kirmis - Teamleiter RZ / Infrastruktur
[cid:image002.jpg@01D7EA72.95BFB820]<http://www.wizard.de/>
Neue Straße 52 D-27432 Bremervörde
Telefon 04761-9941-0 Fax 04761-9941-400
Unseren Service erreichen Sie unter: Tel: +49 4761-9941-120, Fax: +49 4761-9941-420, service(a)wizard.de<mailto:service@wizard.de>
Den Vertrieb erreichen Sie unter: Tel: +49 4761-9941-130, Fax: +49 4761-9941-430, vertrieb(a)wizard.de<mailto:vertrieb@wizard.de>
Vertretungsberechtigter Geschäftsführer: Normen Herting Registergericht: Amtsgericht Tostedt Registernummer: HRB 100838 Umsatzsteuer-Identifikationsnummer gemäß § 27a Umsatzsteuergesetz: DE 116923248
Hinweis zum Datenschutz
Der Inhalt dieser eMail sowie etwaiger Anlagen hierzu sind vertraulich und ausschließlich für den Gebrauch durch den Empfänger bestimmt. Soweit eine Weitergabe oder Verteilung nicht ausschließlich zu internen Zwecken des Empfängers geschieht, wird jede Weitergabe, Verteilung oder sonstige Vervielfältigung untersagt. Diese eMail ist ausschließlich für den in der Adresse genannten Empfänger bestimmt. Sollten Sie nicht der beabsichtigte Empfänger der eMail sein, informieren Sie bitte den Absender unverzüglich. Diese eMail und die Dateianlagen wurden vom Absender auf Viren geprüft und über den abgesicherten Internet-Zugang eZEUS mit Firewall- und Viruswall-Technik verschickt. Weitere Informationen zu eZEUS finden Sie hier: http://www.wizard.de<http://www.wizard.de/>.
I’m running ciphermail for more than 2 years on SuSe Leap 15.2 and it’s running fine. Since the last update on Suse I can’t log into the web interface.
When I tried to open the page, I get this error (Firefox):
SSL_ERROR_NO_CYPHER_OVERLAP
Same with Edge-Browser.
I tried to update ciphermail to the actual version (5.1.3.0). But no difference.
Someone the same problem or a solution?
Best regards
Otmar
I'm being forced to use CentOS 7 on a server, and I'm trying to install an older version of Ciphermail (4.11.0-0).
I follow all the steps for the related version to install. When I start Tomcat, catalina throws the following error:
Nov 15, 2021 9:50:20 AM org.apache.catalina.startup.HostConfig deployDescriptors
SEVERE: Error waiting for multi-thread deployment of context descriptors to complete
java.util.concurrent.ExecutionException: java.lang.NullPointerException
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:597)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:493)
at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1757)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:333)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1370)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:696)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
... 1 more
I've been digging online to try and solve this issue - and it could be related to some sort of JAR file issue inside the application - see here https://bz.apache.org/bugzilla/show_bug.cgi?id=53871#c16
Any ideas on what i can do to resolve this would be greatly appreciated.
OS:
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
Kernel: 3.10.0-1160.31.1.el7.x86_64
Hello,
I'm having problems to setup CM 4.11.0 on a fresh install of Ubuntu 18.04.
Calling https://IP-address:8443/ciphermail return a 404 error:
Type Status Report
Message /ciphermail
Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
/var/log/tomcat8/catalina.out contains the following messages:
[04 Nov 2021 16:56:44 localhost-startStop-1] ERROR [ 7] Invoking method mitm.djigzo.web.services.DjigzoModule.contributeApplicationDefaults(MappedConfiguration, ComponentClassResolver) (at DjigzoModule.java:373). (org.apache.tapestry5.ioc.Registry)
[04 Nov 2021 16:56:44 localhost-startStop-1] ERROR Construction of service ApplicationDefaults failed: Error invoking constructor org.apache.tapestry5.ioc.internal.services.MapSymbolProvider(Map) (at MapSymbolProvider.java:30) via org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at TapestryIOCModule.java:36) (for service 'ApplicationDefaults'): Error invoking service contribution method mitm.djigzo.web.services.DjigzoModule.contributeApplicationDefaults(MappedConfiguration, ComponentClassResolver): Unable to resolve class name mitm.djigzo.web.pages.ErrorPage to a logical page name. (org.apache.tapestry5.ioc.services.TapestryIOCModule.ApplicationDefaults)
java.lang.RuntimeException: Error invoking constructor org.apache.tapestry5.ioc.internal.services.MapSymbolProvider(Map) (at MapSymbolProvider.java:30) via org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at TapestryIOCModule.java:36) (for service 'ApplicationDefaults'): Error invoking service contribution method mitm.djigzo.web.services.DjigzoModule.contributeApplicationDefaults(MappedConfiguration, ComponentClassResolver): Unable to resolve class name mitm.djigzo.web.pages.ErrorPage to a logical page name.
....
04-Nov-2021 16:56:45.784 WARNUNG [localhost-startStop-1] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [ciphermail] appears to have started a thread named [jobScheduler_Worker-8] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
java.lang.Object.wait(Native Method)
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:519)
Here is the list of relevant software packages ....
djigzo 4.11.0-0
djigzo-web 4.11.0-0
libtomcat8-java 8.5.39-1ubuntu1~18.04.3
openjdk-8-jre:amd64 8u292-b10-0ubuntu1~18.04
openjdk-8-jre-headless:amd64 8u292-b10-0ubuntu1~18.04
tomcat8 8.5.39-1ubuntu1~18.04.3
tomcat8-common 8.5.39-1ubuntu1~18.04.3
and the configuration files:
/etc/tomcat8/Catalina/localhost/ciphermail.xml
<Context docBase="/usr/share/djigzo-web/djigzo.war" />
/etc/tomcat8/Catalina/localhost/web.xml
<Context docBase="/usr/share/djigzo-web/djigzo-portal.war" />
/etc/default/tomcat8
JAVA_OPTS="$JAVA_OPTS -Ddjigzo-web.home=/usr/share/djigzo-web"
JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true -Xmx128M"
Does anyone has a suggestions what I might have forgotten or done wrong?
Best regards,
Stefan
Hi,
I enabled DKIM signing on my Ciphermail Gateway for one internal Domain,
with a generated private/public Key-Pair. The DKIM-DNS-Record with the public Key is
published on our DNS-Server-Zone for this Domain.
When i send a E-Mail to an external Recipient from a Sender of that Domain,
there is no DKIM-Signature in the E-Mail-Header.
In the Ciphermail-Logfile are INFO Entrys for every external Recipient:
... ciphermail-gateway-backend[]: .. INFO DKIM signing is disabled for the sender ...
Can anyone help me, so what is my mistake?
I think Ciphermail signs all outgoing emails using DKIM, or am I thinking wrong?
Does postfix perhaps need opendkim to sign outgoing emails?
King regards,
Stephan Unsin
I installed a brand new CipherMail 5.0.4 VM from OVA.
Console login works, configuring network works, looking around in bash looks quite good.
When accessing https:/<<my-ip-address>> and logging in with admin and default PW, I get a "Login failed".
In /var/log/ciphermail-gateway-backend.log I see error mesages (shortened):
INFO Application {http://ws.djigzo.com}PAM#{http://ws.djigzo.application.mitm/}authenticate has thrown exception
WARN [Admin Login] Authentication failure: Bad credentials, Source: --- Principal: admin; Credentials: [PROTECTED]; Authenticated: false; --- Not granted any authorities
I already did a reset of the admin passwd according to "Forgot GUI admin password" foind in documentation.
Where is my mistake? How can I access the admin pages?
Thanks, Birger
Hello,
we are planning to moved from the distribution packages with version 4.11 to Virtual Appliance Version 5.0.4
After creating a backup on the old system I am trying to restore the backup via the Webinterface in 5.0.4 on the virtual appliances.
Unfortunately the certificate database doesn't seem to be imported even tough it should be in the backup file.
Other MTA-settings are imported properly. I think it could be related to the old version using Postgres and the virtual appliance uses MYSQL - but I am not sure of that.
I also tried importing with the backup.sh script - but still the certificates are not showing up in the webinterface.
Does anybody have an idea how to import the file and keep the certificate database?
Mit freundlichen Grüßen, Best Regards,
Vincent Willert
Hello Ciphermail,
We've put the encryption gateway behind nginx proxy (full configuration
attached). Sample:
> location / {
> proxy_pass https://192.168.0.1:8443/;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection 'upgrade';
> proxy_set_header Host $host;
> proxy_cache_bypass $http_upgrade;
> proxy_intercept_errors on;
>
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $remote_addr;
However when a new user accesses PDF Portal they are presented with a Login
page instead of "Create new password" page for the user.
Also, inside the portal, some of the features like accessing system logs
return a page with no style (screenshot attached).
Can you please advise what nginx configuration we can try to make
Ciphermail work behind it?
