search cancel

CVE-2021-44228: CA Harvest SCM - Log4j2 vulnerability

book

Article ID: 230313

calendar_today

Updated On:

Products

CA Harvest Software Change Manager CA Harvest Software Change Manager - OpenMake Meister

Issue/Introduction

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Environment

CA Harvest SCM V13.0.4

CA Harvest SCM V14.0.0

Resolution

Harvest is not affected by this vulnerabilityThe log4j jar files bundled with Harvest do contain the Java classes identified in recent vulnerability reports, but the Harvest software does not use those Java classes. 

The log4j-1.2.12.jar file in the Harvest installation folder can be deleted.

However, that the same log4j-1.2.12.jar file is embedded inside another jar file named “com.ca.harvest.cmsdk.<version>.jar” in the installation.  We are not able to make any changes to this file because that jar file has a digital signature.  Any change would break the file.

The only answer if you want to eliminate all log4j classes that are older than 2.17 is to upgrade to Harvest version 14.0.2.  With this latest version, things have been adjusted so that :

  1. The log4j component is upgraded to a new version that does not pose the same security concerns
  2. They have made the necessary changes with the software so that it will be easier to provide EFixes if future concerns come to light

Additional Information

The RestAPI interface includes the below jars in the deployment

  1. log4j-to-slf4j-2.12.1.jar
  2. log4j-api-2.12.1.jar

Important:

The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable

Log4j core is not bundled in the harvest Rest API deployment

CA Harvest Software Change Manager (all supported versions) is not affected by this vulnerability (CVE-2021-4104) as it only affects Log4j 1.2 when specifically configured to use JMSAppender - which is not used in Harvest.

Supported Reference Link:

https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

Other components:

Harweb Interface :
Log4j version used is 1.2.12 and is not impacted by this vulnerability

Mobile Interface:

Log4j version used is 1.2.14 and is not impacted by this vulnerability

Workbench and Plug-in for Eclipse:

Log4j version used is 1.2.12 in workbench and Plug-in for Eclipse and is not impacted by this vulnerability