search cancel

CVE-2021-44228: Log4j2 vulnerability - Service Catalog

book

Article ID: 230315

calendar_today

Updated On:

Products

CA Service Catalog CA Service Management - Service Desk Manager

Issue/Introduction

Are any of the components of CA Service Catalog affected by the log4j vulnerability that was announced recently - 

CVE-2021-44228.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

 

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Environment

Service Catalog 17.2 and 17.3

This KB article is only applicable for :

  • CA Service Management 17.2 RU10 to 17.2 RU17 versions
  • CA Service Management 17.3 RU1 to 17.3 RU10 versions

The above two release versions are affected by these vulnerabilities.

CA Service Management 17.2 GA to 17.2 RU 9 and 17.3 GA are not affected by these vulnerabilities. These versions use log4j 1.2.x which is not vulnerable.

To remediate these vulnerabilities,

For the 17.2 RU10 to 17.2 RU 17 releases:

 

You must follow the resolution steps provided in this KB article.

 

For the 17.3 RU1 to 17.3 RU 10 releases:

 

You may follow the resolution steps provided in this KB article.

(or)

You can upgrade to CA Service Management 17.3 RU11 with the upgraded Log4j2 version of 2.16.0 to fix the security vulnerabilities affecting the Apache Log4j utility. For more information on installation of CA Service Management 17.3 RU11, refer

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/Release-Information/CA-Service-Management-17-3-0-11-Release-Notes.html

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

Please follow below steps to implement the workaround to avoid the vulnerability:

 

1) To update the viewService.conf file, perform the below steps:

  1. Open USM_HOME\view\conf\viewService.conf file in Administrator edit mode.
    • Search for "wrapper.java.additional.xx" and add the following entries after it. The xx is the last active sequence value in viewService.config file and varies as per your environment.
    • wrapper.java.additional.xx=-Dlog4j2.formatMsgNoLookups=true
    • For example, if the search string contains 24 i.e "wrapper.java.additional.24", add the following entry after it.
  2. wrapper.java.additional.25=-Dlog4j2.formatMsgNoLookups=true
  3. Save the file.


2) To update the log4j.xml file, perform the below steps:

  1. Open USM_HOME\view\conf\log4j.xml file in Administrator edit mode.
  2. Replace all occurrences of %m%n with %m{nolookups}%n
  3. Restart CA Service Catalog

Footer note : (Mandatory step)

Please follow below steps to implement the workaround to avoid the vulnerability:

1) Stop CA Service Catalog and CA Service Accounting Services.

2) Using WinRar/WinZIP or 7-Zip utility, open log4j-core.jar which is located at USM_HOME\view\webapps\usm\WEB-INF\lib file and delete the following class:

org/apache/logging/log4j/core/lookup/JndiLookup.class from the log4j-core.jar

3)  Using WinRar/WinZIP or 7-Zip utility, open utility-mergetenants.jar which is located at USM_HOME\scripts\mergetenants  and then open log4j-core.jar which is inside the utility-mergetenants.jar, delete the following class: org/apache/logging/log4j/core/lookup/JndiLookup.class from log4j-core.jar.

4) Start CA Service Catalog and CA Service Accounting Services.

 


Note: CA Service Management Administration component is not vulnerable to this log4j  CVE-2021-44228 vulnerability.


For Containershttps://knowledge.broadcom.com/external/article?articleId=230314

 

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://logging.apache.org/log4j/2.x/security.html