search cancel

CVE-2021-44228 - log4j vulnerability and AppWorx / Automic Application Manager

book

Article ID: 230316

calendar_today

Updated On:

Products

CA Automic Applications Manager (AM)

Issue/Introduction

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. 

According to CVE-2021-44228, Java 1.8u121+ has built-in protection due to a default setting and protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". Customers who are already using this Java version and didn't change the relevant properties should be fine.

Resolution

Applications Manager ships Log4J library. This library is a transitive dependency required for Apache Commons Logging library (commons-logging-1.2.jar). We don't directly invoke classes from this library directly, instead we use in-house code for logging messages.
 
For AM 9.3.0:
 
Applications Manager v9.3.x ships Log4j v1.2.8 which is not vulnerable to Zero-day exploit. Hence Applications Manager v9.3.x is NOT vulnerable.
RA Banner 4.0 or older ships Log4J v.1.2.x and hence the product is NOT vulnerable.
 
For AM 9.4.0:
 
Please find 9.4.0 Hotfixes for Zero vulnerability issues as below:
Applications Manager: AM v9.4.0.HF1
RA Banner: RA Banner 4.1.1
The above Hotfix releases will replace the old jar with log4j 2.1.6.0.
Applications 9.4.1 replaces with log4j 2.1.7.
 
Note: Applications Manager v9.4.0 ships Log4j2 v2.14.1 library which has been marked as vulnerable. One of the requirements of exploitations of the ZERO-DAY attack is to log the input using Log4J2, which we don't use, and hence there is minimal chance of exploitation. Nevertheless, we would still request our customers to upgrade the vulnerable library to our hotfixes above.
 

Additional Information

Broadcom Enterprise Software Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

https://support.broadcom.com/security-advisory/content/security-advisories/Broadcom-Enterprise-Software-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/ESDSA19792

Applications Manager does not use Spring and is not affected by Spring4Shell 0-day Remote Code Execution in Spring framework vulnerability https://tanzu.vmware.com/security/cve-2022-22963