CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability
Article ID: 230231
Updated On:
Products
Issue/Introduction
LAST UPDATE: 1/12/2022 12:35 AM EST
Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
The fixes included here also address concerns in CVE-2021-45046.
Environment
Release : 10.4.x, 20.2.x, 21.2.x
Component: SPCOCK - Spectrum OneClick
Cause
DX NetOps Spectrum is vulnerable to this CVE due to the versions of log4j shipped.
Resolution
Broadcom is suggesting that all customers upgrade to DX Netops Spectrum 21.2.8 which includes Log4J 2.17.1. Older versions will not be patched. The workarounds can still be followed to clear the issues, however upgrading is recommended.
DX Netops Spectrum SpectroSERVER only installations are not vulnerable.
On all OneClick Servers make the following changes:
1. Update the CA-NIM Component
- Change Directory to $SPECROOT/tomcat/webapps/ca-nim-sm/WEB-INF/config/
cd $SPECROOT/tomcat/webapps/ca-nim-sm/WEB-INF/config/
- Edit the log4j2.xml file and add {nolookups} to the <pattern>:
<Appenders>
<RollingFile name="LOGFILE" fileName="${File}/Nim.log" filePattern="${File}/Nim.log.%i">
<PatternLayout>
<pattern>[%d{dd/MM/yy HH:mm:ss:SSS z}] [%t] %5p %c{2}: %m{nolookups}%n</pattern>
<charset>UTF-8</charset>
</PatternLayout>
<Policies>
<SizeBasedTriggeringPolicy size="10 MB"/>
</Policies>
<DefaultRolloverStrategy max="50"/>
</RollingFile>
</Appenders>
CA NIM: https://knowledge.broadcom.com/external/article?articleId=230345
2. Update the jar files:
Remove the JndiLookup class from log4j-core.2.x.x.jar as it is not needed.
Linux:
- Stop the Spectrum Tomcat service and Webtomcat service.
$ cd $SPECROOT/tomcat/bin
$ ./stopTomcat.sh
$ cd $SPECROOT/webtomcat/bin
$ ./stopWebTomcat.sh
- Remove the JndiLookup class from the following jar files (Note - do not remove the files):
$SPECROOT/tomcat/webapps/ca-nim-sm/
$SPECROOT/tomcat/webapps/axis2/WEB-
$SPECROOT/webtomcat/webapps/admin/WEB-
$SPECROOT/webtomcat/webapps/spectrum/
Run the following command against each jar file listed above (go in each lib directory) to remove the JndiLookup.class:
$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/
- You can verify that the vulnerable jars were mitigated successfully by running the grep command line below:
$ grep -R 'JndiLookup.class'
If no file is displayed in the grep command line, then the JndiLookup.class does not exist in any file of the current directory.
Another examples of grep syntaxes:
$ grep -R 'JndiLookup.class' $SPECROOT/tomcat/webapps/ca-nim-sm/WEB-INF/lib/log4j-core-*.jar
$ grep -R 'JndiLookup.class' $SPECROOT/tomcat/webapps/axis2/WEB-INF/lib/log4j-core-*.jar
$ grep -R 'JndiLookup.class' $SPECROOT/webtomcat/webapps/admin/WEB-INF/lib/log4j-core-*.jar
$ grep -R 'JndiLookup.class' $SPECROOT/webtomcat/webapps/spectrum/WEB-INF/lib/log4j-core-*.jar
You will get the following message if you run the following syntax in Spectrum release below 21.2.4 (because the log4j-core-*.jar in axis2 folder is shipped in Spectrum 21.2.4 onwards):
$ grep -R 'JndiLookup.class' $SPECROOT/tomcat/webapps/axis2/WEB-INF/lib/log4j-core-*.jar
grep: /usr/Spectrum//tomcat/webapps/axis2/WEB-INF/lib/log4j-core-*.jar: No such file or directory
- Start the Spectrum Tomcat service and Webtomcat service.
$ cd $SPECROOT/tomcat/bin
$ ./startTomcat.sh
$ cd $SPECROOT/webtomcat/bin
$ ./startWebTomcat.sh
Windows:
These steps need to be done for each of the following JAR files:
$SPECROOT\tomcat\webapps\ca-nim-sm\WEB-INF\lib\log4j-core-*.
$SPECROOT\tomcat\webapps\axis2\WEB-
$SPECROOT\webtomcat\webapps\admin\WEB-
$SPECROOT\webtomcat\webapps\spectrum\WEB-INF\lib\log4j-core-*.
Rename the above .jar files to .zip
Double-click the zip file to navigate into it.
Go to the org/apache/logging/log4j/core/
Once the file has been deleted, rename .zip back to .jar.
Restart the Tomcat Service
Example using 7-ZIP (7z) to remove the JndiLookup.class file from a jar
Note: It is possible other compression/archiver utilities may also be used to open the jar files
Right Click on the log4j-core-2.x.xx.x.jar file
Select: 7-Zip ~~> Open Archive
Navigate to: org\apache\logging\log4j\core\lookup\
Select: JndiLookup.class
Right Click ~~> Delete
3. Update Webtomcat (in Spectrum 10.4.1 onwards)
Linux & Windows- Change Directory to $SPECROOT/webtomcat/webapps/spectrum/WEB-INF/classes/
cd $SPECROOT/webtomcat/webapps/spectrum/WEB-INF/classes/
- Edit the log4j2.xml file and add {nolookups} to EACH of the <PatternLayout> sections
<RollingFile name="R" fileName="${sys:webswing.logsDir:-logs/}webswing.log" filePattern="${sys:webswing.logsDir:-logs/}webswing.log.%i">
<PatternLayout pattern="%d %-5p [%t] (%F:%L) %m{nolookups}%n" />
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="100 MB"/>
</Policies>
<DefaultRolloverStrategy max="5" />
</RollingFile>
Note: There are 4 <PatternLayout> sections (the first commented out), update EACH of these with the {nolookups} option
screenshot
NOTE: DX NetOps 21.2.6 is shipped with log4j 2.17.0 which addresses these vulnerabilities.
Additional Information
Secure Domain Connector Details here:
https://knowledge.broadcom.com/external/article?articleId=230377
Spectrum includes CAPKI, is that vulnerable?
https://knowledge.broadcom.com/external/article?articleId=230417
CVE-2021-45105: Is Spectrum affected?
https://knowledge.broadcom.com/external/article?articleId=231146
Some customers reported that their scan tools showing the log4j present in war files were also an issue.
Please see the below steps to remove the JNDILookup class from war files.
OBS: Below files at given locations also contains a jndiLookup class file inside it.
$SPECROOT/webtomcat/webswing.zip
$SPECROOT/webtomcat/webswing/spectrum.war
$SPECROOT/webtomcat/webswing/admin/admin.war (admin.war is not present in 10.4.x releases)
Above files can be safely deleted, since it's used only during the Spectrum installation process, when it's unzipped to create the webswing directory and configurations.
Linux:
Stop spectrum tomcat and webtomcat services
Take a backup of the following file and keep it outside of the spectrum directory structure:
$SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/axis2.xml
Identify the .war files which are having log4j-core-*.jar.
$Specroot/tomcat/webapps/axis2.war (Effected from 21.2.4 onwards, old version having log4-1.x.jar)
$Specroot/webtomcat/webapps/admin.war (Admin.war is not exist in spectrum 10.4.x releases)
$Specroot/webtomcat/webapps/spectrum.war
create temporary directory
mkdir /tmp/log4j
copy the war files to temporary directory (taking example of spectrum.war)
cp $Specroot/webtomcat/webapps/spectrum.war /tmp/log4j
Goto temporary directory
cd /tmp/log4j
extract the war file
jar -xvf spectrum.war (use corresponding war name)
once extracted remove the war file
rm -rf spectrum.war (use corresponding war name)
Search the class file in the extracted directory
grep -R 'JndiLookup.class'
It will search all of the jar files, it will be in location WEB-INF/lib/log4j-core-2.x.jar
go to corresponding location
cd WEB-INF/lib/
remove the JndiLookup.class from jar file
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
go back to temporary directory and re-pack the war
cd /tmp/log4j
jar -cvf spectrum.war * (use corresponding war name)
Copy the war back to its install directory
cp spectrum.war /usr/Spectrum/webtomcat/webapps/
Now clear the temporary directory
Restart spectrum tomcat and webtomcat
Restore the axis2.xml file backup to SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/ directory,
Restart tomcat service only
Windows:
Stop spectrum tomcat and webtomcat services
Take a backup of the following file and keep it outside of the spectrum directory structure:
$SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/axis2.xml
Identify the .war files which are having log4j-core-*.jar.
$Specroot/tomcat/webapps/axis2.war (Effected from 21.2.4 onwards, old versions having log4-1.x.jar)
$Specroot/webtomcat/webapps/admin.war (Admin.war is not exist in spectrum 10.4.x releases)
$Specroot/webtomcat/webapps/spectrum.war
Extract the war files to temporary directory
Go to WEB-INF/lib folder and find log4j-core-2.x.jar
Rename the above .jar files to .zip
Double-click the zip file to navigate into it.
Go to the org/apache/logging/log4j/core/lookup/ folder and locate and delete JNDILookup.class.
Once the file has been deleted, rename .zip back to .jar.
zip all the files in the temporary directory and rename it to war.
Copy back the war from temporary directory to install location.
Do the same for other war files.
Restart spectrum tomcat and webtomcat services
Restore the axis2.xml file backup to SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/ directory,
Restart tomcat service only
Scans may show the following are vulnerable:
root@spvap01:/data/CA/Spectrum/tomcat/lib> ls -la log4j*
-rw-r----- 1 spectrum spectrum 276771 Nov 16 2020 log4j-api-2.12.1.jar
-rw-r----- 1 spectrum spectrum 350482 Nov 16 2020 log4j.jar
-rwxr-x--- 1 spectrum spectrum 702 Nov 16 2020 log4j.properties
These library files do not contain the vulnerable class. However to upgrade log4j to 2.17.1 you will need to install Spectrum 21.2.8 or higher.
Feedback
