AAI and log4j vulnerabilities - CVE-2021-44228, CVE-2017-5645, and CVE-2021-45105
search cancel

AAI and log4j vulnerabilities - CVE-2021-44228, CVE-2017-5645, and CVE-2021-45105


Article ID: 230310


Updated On:


Automic Automation Intelligence


Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. 

Automic Automation Intelligence does have some components that are using Apache log4j 2.x and are therefore affected by the zero-day Apache log4j vulnerability.  The list of confirmed components are:

AAI Server
JobTrac connector
Automic Connector
Control-M Connector
Connector Framework
ESP Connector


Below is how you can check the log4j versions on your AAI system.


On a Linux AAI server cd to /<Install dir>/jboss/standalone/ and run the command below


for i in */*/content; do echo $i; unzip -l $i | grep log4j; done


You will likely see files with 2.7 in the name like the files below and more.






2.7 is vulnerable to some of the recent log4j vulnerabilities raised recently.



You can also go to /<Install dir>/jboss/standalone/deployments and run:


jar tvf customConditionGenerator*.war | grep log4j

jar tvf simulation-service-*.war | grep log4j

jar tvf subscription-service-*.war | grep log4j

jar tvf telemetry-service-*.war | grep log4j



**Note that you will also see some 1.2.x files in these commands, these are not affected by the vulnerabilities listed above if you are on Java version later then 1.8.121.


The Broadcom AAI Engineering team has released a hotfix, 6.4.1 HF2, containing the latest log4j package.


You can download the specific Upgrade/Install files for your environment by going to: https://downloads.automic.com/downloads/advanced_mode


For the AAI Server, enter:

Component: Automic Automation Intelligence

Sub-Component: Installer and/or Upgrader

Version: 6.4.1 H2



**Post upgrade you may need to delete some left over 2.7 files as noted below:

After upgrading to 6.4.1-1 and before starting up the service, please delete everything under /<Install dir>/jboss/standalone/data/content.


For example:

cd /<Install dir>/jboss/standalone/data/content

rm -rf *


Then start up AAI.


This will remove any left over 2.7 log4j files.


You can verify the files are remove by running:

cd /<Install dir>/jboss/standalone/data/content

for i in */*/content; do echo $i; unzip -l $i | grep log4j; done


You should now see 2.17 files and no longer see any 2.7 files.


**Steps below are only if you cannot upgrade to the patched build as noted above and will help to mitigate the risk of CVE-2021-44228.**

If you cannot upgrade to 6.4.1 HF2 immediately, there are some things that can be done, these steps are not needed if upgrading to 6.4.1 HF2:

According to CVE-2021-44228, Java 1.8u121+ has built-in protection due to a default setting and protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". Customers who are already using this Java version and didn't change the relevant properties should be fine.

For AAI Server
1:  Ensure that the java 8 version running is > u121.  If it is not, update to the most recent Java 8 version available.  Evidence can be found in the /jboss/standalone/log/jaws.log after a restart and will look as follows:

      2021-12-09 13:28:18,199 INFO  [JavaVersionUtil] Java Version: 1.8.0_292

2:  For the AAI Server, please update the following lines in this file:
Change: formatter.SERVER-PATTERN.pattern=%d %-5p [%C] %m%n
to: formatter.SERVER-PATTERN.pattern=%d %-5p [%C] %m{nolookups}%n
Change: formatter.PATTERN.pattern=%d %-5p [%c{1}] %m%n
formatter.PATTERN.pattern=%d %-5p [%c{1}] %m{nolookups}%n

3:  Also, for the AAI Server, please update the following file:
Change this block:

<formatter name="PATTERN">

<pattern-formatter pattern="%d %-5p [%c{1}] %m%n"/>


<formatter name="SERVER-PATTERN">

<pattern-formatter pattern="%d %-5p [%C] %m%n"/>



<formatter name="PATTERN">

<pattern-formatter pattern="%d %-5p [%c{1}] %m{nolookups}%n"/>


<formatter name="SERVER-PATTERN">

<pattern-formatter pattern="%d %-5p [%C] %m{nolookups}%n"/>

4:  If present (not all supported versions will have this file), please update the following file:
Change <param name='ConversionPattern'value='%5p %d{ISO8601} [%t] [%c] %m%n'/>
to: <param name='ConversionPattern'value='%5p %d{ISO8601} [%t] [%c] %m{nolookups}%n'/>  
Note: there are 4 instances in the file that require the change.
5:  Restart AAI Server
For customers running framework-based connectors for ESP, Automic and/or Control-M:
Patched version of the Connectors are available for download here: https://downloads.automic.com/downloads/advanced_mode
Automic Connector version 2.1.2
Control M Connector 1.2.3 HF1
To upgrade:
On Windows, run the *-connector.exe on Windows and select the option to upgrade the existing installation, when prompted enter the information from your existing <Install Dir>\application.yml
If you cannot immediately upgrade your Connector you can take the steps below:
1:  Locate the service files in both the installed directory and the system directory (there will be a file in two locations).  For ubuntu, by default, the locations are:
Specifically for Control-M, the files (by default) are:
In both files, replace:

ExecStart=/bin/bash -c "java -jar /opt/connector.control-m/connector.control-m.jar"



ExecStart=/bin/bash -c "java -DformatMsgNoLookups=true -jar/opt/connector.control-m/connector.control-m.jar"


2. Reload the service definition by running:
systemctl daemon-reload
3.  Restart the connector service

Additional Information

Note, that after upgrading to 6.4.1 HF2, you may see some new warnings in server.log as mentioned here: https://knowledge.broadcom.com/external/article?articleId=230884

These can safely be ignored and will be addressed in a future release.


**Please note that this KB article may be updated as new information becomes available, please refresh this page to ensure you have the latest information**