search cancel

CVE-2021-44228: Log4j2 vulnerability - Service Catalog - Containers

book

Article ID: 230314

calendar_today

Updated On:

Products

CA Service Catalog CA Service Management - Service Desk Manager

Issue/Introduction

Are any of the components of CA Service Catalog affected by the log4j vulnerability that was announced recently - CVE-2021-44228.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Environment

Service Catalog 17.3 (Containers)

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

Please follow below steps to implement the workaround to avoid the vulnerability:

 

  1. Navigate to the Kubernetes dashboard and scale down the Catalog pods to zero.
  2. Navigate to the NFS shared directory where Catalog persistent volumes are configured.
  3. Open "casm-docker-catalog-conf-pvc-pvc-xxxxxx" PV folder.
  4. Open viewService.conf file, and perform the below steps:

 Search for "wrapper.java.additional.xx" and add the following entries after it. The xx is the last active sequence value in viewService.config file and varies as per your environment.

 

wrapper.java.additional.xx=-Dlog4j2.formatMsgNoLookups=true

 

For example, if the search string contains 24 i.e "wrapper.java.additional.24", add the following entry after it.

  1. wrapper.java.additional.25=-Dlog4j2.formatMsgNoLookups=true

2. Save the file.




5) Open log4j.xml file in the same location and perform the below steps:

 

  1. Replace all occurrences of %m%n with %m{nolookups}%n
  2. Save the file.



   6)Navigate to the Kubernetes dashboard and scale up the pods to 1 or more(as per your configuration)

Additional Information

 

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Attachments