search cancel

CVE-2021-44228: CA Client Automation R14.5 log4j vulnerability

book

Article ID: 230320

calendar_today

Updated On:

Products

CA Client Automation

Issue/Introduction

Product:
CA Client Automation R14.5
CA Client Automation R14.5 Cumulative Update 1

CA Client Automation R14.5 is affected by the log4j vulnerability that was announced
recently - CVE-2021-44228:
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and
parameters do not protect against attacker controlled LDAP and other JNDI related
endpoints. An attacker who can control log messages or log message parameters can
execute arbitrary code loaded from LDAP servers when message lookup substitution is
enabled

Environment

Release: CA Client Automation R14.5 and above with Web Console installed.

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

You can follow either Option#1 or Option#2 to address this vulnerability.


Option#1


Release: CA Client Automation R14.5 and above are vulnerable to this CVE due to the
versions of log4j shipped.
As Broadcom works to upgrade the log4j shipped with CA Client Automation, the following
work around can be applied without affecting the product itself.
CA Client Automation ships following log4j2 jars
DSM\Web Console\webapps\AMS\WEB-INF\lib\ log4j-api-2.12.1.jar
DSM\Web Console\webapps\AMS\WEB-INF\lib\ log4j-core-2.12.1.jar
DSM\Web Console\webapps\wac\WEB-INF\lib log4j-api-2.12.1.jar
DSM\Web Console\webapps\wac\WEB-INF\lib\ log4j-core-2.12.1.jar

If you have already performed the below steps, you can directly go to the footer notes and
perform the mandatory steps.


1. Execute caf stop to stop CA Client Automation.
2. Execute the following command:
ccnfcmda -cmd setparametervalue -ps itrm/common/caf/plugins/tomcat -pn
commandline_start -v "\"C:\Program Files (x86)\CA\SC\JRE\1.8.0_212\bin\java.exe\" -Xrs -
Dfile.encoding=utf8 -Xms128m -Xmx256m -XX:MaxPermSize=256m -classpath
\"C:\Program Files (x86)\CA\SC\Tomcat\8.5.56\bin\bootstrap.jar\";\"C:\Program Files
(x86)\CA\SC\Tomcat\8.5.56\bin\tomcat-juli.jar\" -Dcatalina.base=\"C:\Program Files
(x86)\CA\DSM\Web Console\" -Dcatalina.home=\"C:\Program Files
(x86)\CA\SC\Tomcat\8.5.56\" -Djava.io.tmpdir=\"C:\Program Files (x86)\CA\DSM\Web
Console\temp\" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -
Djava.util.logging.config.file=\"C:\Program Files
(x86)\CA\SC\Tomcat\8.5.56\conf\logging.properties\" -
Dlog4j2.formatMsgNoLookups=\"true\" org.apache.catalina.startup.Bootstrap start"
Note: Tomcat, WebConsole and JRE paths may differ based on the installation. Replace
the actual paths in the above command.
3. Execute caf start to start CA Client Automation.

Footer note : (Mandatory step)
As Apache has suggested another step to mitigate even more of the risk, it is recommended
that the JndiLookup.class be removed from log4j-core-2.12.1.jar.
The below procedure can be followed to remove the JndiLookup.class.
Execute the command caf stop
The jar file is located in the following folders.
<Installed Path>\DSM\Web Console\webapps\wac\WEB-INF\lib
<Installed Path>\DSM\Web Console\webapps\AMS\WEB-INF\lib
<Installed Path>\DSM\Web Console\webapps\pmengine\WEB-INF\lib

1. Open the directory <Installed Path>\DSM\Web Console\webapps\wac\WEB-INF\lib
2. Right click on log4j-core-2.12.1.jar file and select 7-zip and Open archive.
Note: Please use any available compression tool to open the jar file. In this example, we
used 7-zip.

3. Traverse to org\apache\logging\log4j\core\lookup\

 

 

4. Right Click on JndiLookup.class file and select the Delete option to delete the file.

 

6. Close the 7-zip window.
7. Repeat the same steps for AMS and pmengine folders.
8. Execute the command caf start

 

Option#2

Patch has been published and is available in the support site at below link.

Patch number: 99111310

WAC patch for log4j

Additional Information

 

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

 

Attachments