search cancel

CVE-2021-44228, CVE-2021-45046: Log4j Vulnerability Remediation in CA Service Virtualization

book

Article ID: 230299

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

CVE-2021-44228:

Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

This vulnerability impacts only the log4j-core JAR file. This vulnerability does not impact the applications using only the log4j-api JAR file without the log4j-core JAR file.

 

CVE-2021-45046:

Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

 

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This issue could allow attackers to control Thread Context Map (MDC) input data by crafting malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. This issue can happen when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC). Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that the previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

This vulnerability impacts only the log4j-core JAR file. This vulnerability does not impact the applications using only the log4j-api JAR file without the log4j-core JAR file.

Environment

CVE-2021-44228:

CA Service Virtualization 10.6.1, 10.6.2, 10.6.3, 10.6.4, and 10.7.0 are affected by this vulnerability. 

The affected components are Virtual Service Catalog and Demo Server and below listed are the affected component versions and SV releases:

  • Virtual Service Catalog 1.7.6 (SV 10.7) - ONPREM and Docker Images
  • Virtual Service Catalog 1.7.5 (SV 10.6.4) - Docker Images only
  • Virtual Service Catalog 1.7.4 (SV 10.6.2 / SV 10.6.3) - Docker Images only
  • Virtual Service Catalog 1.7.3 (SV 10.6.1) - Docker Images only
  • Demo Server (SV 10.6 - 10.6.4)
  • Demo Server (SV 10.7)

CVE-2021-45046:

In addition to the above environments, the environments patched with our previous "10_7_GA_Log4j2_VUlnerability_Fix_1639246113837.zip" VSC patch are also affected. The temporarily mitigated environments with the fix by applying the system property log4j2.formatMsgNoLookups to true are also affected by this vulnerability.

Note 1: 

  • The other SV components like Registry, Enterprise Dashboard, Portal, IAM etc are not affected by these vulnerabilities.
  • CA Service Virtualization release 10.6.0 and below are not affected. 
  • ALL Version of the demo Server from 10.4 through 10.7 are affected

Note 2:
The Visual Service Catalog is a separate install and would have to have been perforated separately from the DevTest server installs.
This is what installs the vscatalog.vmoptions & vscatalogService.vmoptions files

This would be in a different directory from the devtest installation.
The defaults are:

For Windows:
 C:\Program Files\CA\vscatalog

For Linux
/opt/CA/vscatalog

You can also check and see if the application is listening on its default port of 51110.

 

Cause

N/A

 

Resolution

These vulnerabilities are remediated by removing the log4j-core-2.x.jar from VSC. This will not impact any existing Virtual Service Catalog logging capabilities.

Existing Installation:

A) ONPREM:
Apply the attached Virtual Service Catalog patch for SV 10.7 GA release. Follow the steps mentioned in the “README_STEPS.txt” inside the zip to apply the patch.

VSC Version

SV Version

FIle Name

1.7.6

10.7.0

VSC_1_7_6_SV_10_7_0_Log4j2_Vulnerability_Fix.zip


Apply the attached Demo Server patch if it is installed based on the SV release.
Follow the steps mentioned in the “README_STEPS.txt” inside the zip to apply the patch.

 

SV Version

File Name

Demo Server

10.7.0

DemoServer_10_7_0_Log4j2_Vulnerability_Fix.zip

Demo Server

10.6.0

DemoServer_10_6_0_Log4j2_Vulnerability_Fix.zip

B) Docker Containers:
The latest Virtual Service Catalog Docker images with the log4j vulnerability fixes for different SV releases are hosted at sv-docker.packages.broadcom.com/sv

VSC Version

SV Version

Image Name

Image Location

Tag

1.7.6

10.7.0

virtual-service-catalog

sv-docker.packages.broadcom.com/sv/virtual-service-catalog

1.7.6.42

1.7.5

10.6.4

virtual-service-catalog

sv-docker.packages.broadcom.com/sv/virtual-service-catalog

1.7.5.31

1.7.4

10.6.3/10.6.2

virtual-service-catalog

sv-docker.packages.broadcom.com/sv/virtual-service-catalog

1.7.4.2

1.7.3

10.6.1

virtual-service-catalog

sv-docker.packages.broadcom.com/sv/virtual-service-catalog

1.7.3.9

 

If you are updating the existing Docker Containers in your environments, then follow the following instructions:

Docker Compose:

  • Open cadevtest-docker-installer/.env file and find the VS_CATALOGUE_IMAGE_TAG= entry. Update the image tag based on the version as shown below:

VS_CATALOGUE_IMAGE_TAG=1.7.6.42

  • Re-run the installSVDocker.sh with the options used while installing it previously. 

 

Node Ports:

  • Open custom-values.yaml file and find the tag: entry in virtual-service-catalog. Update the image tag based on the version as shown below:

virtual-service-catalog:

  enabled: true

  fullnameOverride: <release_name>-vsc

  dataFileConfigMap: data-files

  image:

    repository: sv-docker.packages.broadcom.com/sv/virtual-service-catalog

    pullPolicy: IfNotPresent

    tag: 1.7.6.42

  • Run Helm upgrade command with the options used while installing it previously.

 

Contour Ingress:

  • Open devtest\04-statefulsets\01-statefulsets.yml and find the vsc service spec, image entry. Update the image tag based on the version within the double quotes (“”) as shown below:

    spec:

      securityContext:

        runAsUser: 1010

        fsGroup: 1010

      imagePullSecrets:

        - name: servicevirtual-cred

      containers:

        - name: virtual-service-catalog

          image: "sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.6.42"

  • Run kubectl apply -f <path-to-statefulsets.yml> command to apply the new changes.

Update Images by pulling:

Follow these instructions to pull the latest docker images: 

  • Login to sv-docker.packages.broadcom.com with valid credentials (username and token): 

docker login sv-docker.packages.broadcom.com -u <USER_EMAIL> -p <ACCESS_TOKEN>

Note: To get the access token, follow the DevTest Solutions documentation.

  • Pull the latest virtual-service-catalog image.

docker pull sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.6.42

 

Fresh Installation:

All the affected GA VSC installers, docker images, and Demo Servers are now replaced with the latest installers and images along with the latest
Docker Compose, Kubernetes Node ports, and Contour Ingress installer scripts for different releases in the Broadcom Support Portal. 

If you are setting up the VSC environment on-premise freshly, then you can follow the below instructions:

Installing Virtual Service Catalog

If you are setting up the Docker Containers in your environments freshly, then you can follow the below instructions:

  1. Docker-compose Installer:  Follow DevTest Docker Installation Using docker-compose
  2. NodePorts Installer: Follow DevTest Kubernetes Installation Using NodePorts
  3. Contour Ingress Installer: Follow DevTest Kubernetes Installation Using Contour Ingress

Note: 

  • Remove the vulnerable VSC docker images manually from the host node.
  • The previous mitigations involving configuration, such as setting the system property log4j2.formatMsgNoLookups to true and the VSC patch "10_7_GA_Log4j2_VUlnerability_Fix_1639246113837.zip," do NOT mitigate these vulnerabilities and are no longer required now.


Demoserver:
Option1:
Uninstall Demoserver installation.
( Option 1 is the only option for Devtest 10.4.x and 10.5.x as these are EOL)

Option2:
For 10.6.x and 10.7.x please see the attached zip files for fix and instructions.
DemoServer_10.7.0_fix.zip
DemoServer_10.6.0_Fix.zip

Note: The fix is to remove the log4j-core-2.1.jar from the cars-esb war as it is added as a transitive dependency and not being used for logging.
This patch is applicable only if the Demo Server is installed.

Attachments

DemoServer_10.6.0_Fix_1640872797572.zip get_app
DemoServer_10.7.0_fix_1640872621820.zip get_app
VSC_1_7_6_SV_10_7_0_Log4j2_Vulnerability_Fix_1639686094540.zip get_app