CVE-2021-44228 & CVE-2021-45046: DX Netops OI Connector - Log4j vulnerability
search cancel

CVE-2021-44228 & CVE-2021-45046: DX Netops OI Connector - Log4j vulnerability

book

Article ID: 230233

calendar_today

Updated On:

Products

DX NetOps DX Operational Intelligence

Issue/Introduction

LAST UPDATE: 2/16/2022 9:15 AM EST

 

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Environment

OI Connector releases 2.0 through 2.1.3

NOTE - OI Connector 2.1.5 was shipped with log4j 2.17.1 and requires no additional remediation.

 

Resolution

 

In the following steps the term <OIINSTALLDIR> should be replaced by the installation directory path of the NetOps OI Connector (usually /opt/CA/OIConnector).

  1. Stop the OIConnector services:
      • service caperfcenter_oi stop
  1. Remove the JndiLookup class from the log4j library used by the core OI Connector service using the following steps:
    • Change directory to the <OIINSTALLDIR>/lib directory
      • cd <OIINSTALLDIR>/OIConnector/lib
    • Verify that the log4j-core library is in the current directory:
      • ls log4j-core-*.jar
      • Ex: log4j-core-2.14.1.jar
    • Remove the JndiLookup class from the log4j library using the command:
      • zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    • Verify the removal of the JndiLookup class from the log4j library using the command:
      • unzip -v log4j-core-*.jar | grep JndiLookup
        (no output should be seen)
  1. Remove the JndiLookup class from the log4j library contained within the agent swarm jar used by the OI Connector agent service using the following steps:
    • Copy the oinet-agents-swarm.jar to a temp directory:
      • mkdir /tmp/oinet-agents-swarm
      • cd /tmp/oinet-agents-swarm
      • cp <OIINSTALLDIR>/oinet-agents-swarm.jar .
    • Extract the contents of the oinet-agents-swarm library
      • unzip -o oinet-agents-swarm.jar
    • Remove the JndiLookup class from the log4j library using the command:
      • zip -q -d m2repo/org/apache/logging/log4j/log4j-core/*/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    • Verify the removal of the JndiLookup class from the log4j library using the command:
      • unzip -v m2repo/org/apache/logging/log4j/log4j-core/*/log4j-core-*.jar | grep JndiLookup
        (no output should be seen)
    • Update the oinet-agents-swarm jar with the modified log4j core library using the commands:
      • zip -q -d oinet-agents-swarm.jar m2repo/org/apache/logging/log4j/log4j-core/*/log4j-core-*.jar
      • zip -r -u oinet-agents-swarm.jar m2repo/org/apache/logging/log4j/log4j-core/*/log4j-core-*.jar 
    • Replace the installed oinet-agents-swarm.jar with the modified copy (you will be prompted to overwrite existing):
      • cp oinet-agents-swarm.jar <OIINSTALLDIR>
    • Clean up by removing the temp directory:
      • rm -rf /tmp/oinet-agents-swarm
  1. Add the -Dlog4j2.formatMsgNoLookups=true to the java.conf file in the <OIINSTALLDIR>/conf directory as follows:
    • Edit <OIINSTALLDIR>/conf/java.conf
    • Add -Dlog4j2.formatMsgNoLookups=true this line: # Additional java parameters may be configured here to be used by all services
      • Ex:

#encoding=UTF-8

# Additional java parameters may be configured here to be used by all services

-Dlog4j2.formatMsgNoLookups=true

 

  1. Modify the <OIINSTALLDIR>/conf/log4j.xml file to edit the two patterns that contain %msg tokens to insert the {nolookups} directive after each.

        <Appenders>

       <Console name="Console-Appender" target="SYSTEM_OUT">

          <PatternLayout>

             <pattern>[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n</pattern>

          </PatternLayout>

       </Console>

       <RollingFile name="RollingFile-Appender"

                    fileName="${log-path}/OIConnector.log"

                    filePattern="${archive}/OIConnector.log.%d{yyyy-MM-dd}.gz">

          <PatternLayout

              pattern="[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n" />

          <Policies>

             <TimeBasedTriggeringPolicy />

             <SizeBasedTriggeringPolicy size="30 MB" />

          </Policies>

          <DefaultRolloverStrategy max="20" />

       </RollingFile>

   </Appenders>

 

  1. Restart the OI Connector Services
      • service caperfcenter_oi start

Additional Information

Note: Versions of the OI Connector 1.5 and older are not impacted. As long as the log4j.xml/properties isn't using %m or %msg, which it does not do by default, there is no impact.

If the log4j.xml file in those releases has been customized and does include the %m or %msg references apply the solution in the Resolution statement above.

Powered by Wolken Software