CVE-2021-44228: Log4j Vulnerability Remediation in CA IT Asset Manager

CVE-2021-44228: Log4j Vulnerability Remediation in CA IT Asset Manager

book

Article ID: 230318

calendar_today

Updated On:

Products

CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management CA Service Management - Asset Portfolio Management

Issue/Introduction

ITAM uses AMS-Asset Viewer which is affected by the below vulnerability    

    CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

 

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Environment

Release : 17.2 and 17.3

This KB article is only applicable for :

  • CA Service Management 17.2 GA to 17.2 RU17 versions
  • CA Service Management 17.3 GA to 17.3 RU10 versions

The above two release versions (17.2.x and 17.3.x) are affected by these vulnerabilities.

To remediate these vulnerabilities,

For the 17.2.x releases:

 

You must follow the resolution steps provided in this KB article.

 

For the 17.3.x releases:

 

You may follow the resolution steps provided in this KB article.

(or)

You can upgrade to CA Service Management 17.3 RU11 with the upgraded Log4j2 version of 2.16.0 to fix the security vulnerabilities affecting the Apache Log4j utility. For more information on installation of CA Service Management 17.3 RU11, refer

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/Release-Information/CA-Service-Management-17-3-0-11-Release-Notes.html

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

Please follow below steps to implement the workaround to avoid the vulnerability:

 

1)  To update the AMS Tomcat Service, perform the below steps:

  1. Stop the AMS Tomcat Service from the services console.
  2. Navigate to “C:\Program Files (x86)\CA\SharedComponents\AMS\TomCat\bin” and open command prompt by typing cmd in the address bar.
  3. Type and execute below command to open Edit Service Configuration window
    • tomcat8w.exe //ES//AMS
  4. Once the window opens, navigate to “Java” tab and update Java Options
    • Add -Dlog4j2.formatMsgNoLookups=True as shown below
  5. Click apply and click ok

 

2) To update the log4j2.xml file, perform the below steps:

  1. Open C:\Program Files (x86)\CA\SharedComponents\AMS\TomCat\webapps\AMS\WEB-INF\classes\log4j2.xml file in Administrator edit mode.
  2. Replace all occurrences of %msg%n with %msg{nolookups}%n
  3. Start the AMS Tomcat Service.

Note:- ITAM - CAF (Multi Tenancy Service) which uses log4j 1.2 is not affected by the above said vulnerability.

 


Footer Note: (Mandatory Step)

  1. Stop AMS Tomcat Service.
  2. Remove log4j-1.2.17.jar from “C:\Program Files (x86)\CA\SharedComponents\AMS\TomCat\webapps\AMS\WEB-INF\lib\
  3. Using WinRar/WinZip or 7-Zip, open log4j-core-2.10.0.jar  file from “C:\Program Files (x86)\CA\SharedComponents\AMS\TomCat\webapps\AMS\WEB-INF\lib\”  and delete the following class: org/apache/logging/log4j/core/lookup/JndiLookup.class
  4. Start AMS Tomcat Service

 

*Assuming CA Products are installed in C drive, else read paths relative with the drive where CA Products are installed.

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228