Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

dSeries is using log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions

New log4j version 2.17 is not needed because ESP dSeries does not use Thread Context Map (MDC) as described in this medium severity CVE.

Note: Log4j versions 1.x are not affected by this vulnerability.

https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111315&os=MULTI-PLATFORM

Environment : All Platforms

Release affected: 12.1,12.2,12.3

Component: ESP Workload Automation DE

DE Server / Web Client Patches:

ESP Workload Automation DE and Web Client patches to address Log4j Vulnerability patched with log4j.2.16 jar version. 

Web Client (12.3.00.00-2321) – 99111317  --  https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111317&os=MULTI-PLATFORM

DE (dSeries) Server  – 99111315   --  https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111315&os=MULTI-PLATFORM

Web Client Patch is only for r12.3 version, other supported web client versions are not affected (Normal Cumulative patch).

DE (dSeries) Server Patch is for r12.1, r12.2, r12.3 supported DE versions. No need to shutdown the server.  Apply to both primary and standby servers for High Availability installations.

NOTE:  Migration utility may not work in dSeries 12.2 and 12.1 after above patches have been applied.  As with any patch, always take a backup of directory so that it can be reverted back in case(s) of an issue.  If you plan to migrate your dSeries environment, then apply the patches after migration has been done.   We strongly recommend to apply patches as soon as possible and update the server on old log4j libraries.

Mitigation/Workaround:

Please follow the below steps to mitigate the problem as suggested in the https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Users may use a modified log4j-core-2.11.0.jar.  The JndiLookup.class has been removed from the original jar.  The jar has been attached to this KD (scroll to the bottom).   

To use the modified jar:

1. Navigate to <DE_install_directroy>/migration/lib

2. Delete/move current log4j-core-2.11.0.jar from the directory (move to some other location).

3. Download the attached jar and rename it from "log4j-core-2.11.0_1639670761625.jar" to log4j-core-2.11.0.jar

4. Copy the new log4j-core-2.11.0.jar to <DE_install_directroy>/migration/lib

5. Follow the above steps and copy the new modified jar to these (2) locations as well

<DE_install_directroy>/migration/12.0-lib
<DE_install_directroy>/migration/11.3-lib

6. No restart of DE service is needed.

Note: It is recommended to take backup of DE install directory before making any changes.

For users who may wish to manually modify the log4j-core-2.11.0.jar (remove JNDI lookup class), follow these steps

DE Server:

In Linux/UNIX:

1. Navigate to:

<DE_install_directroy>/migration/lib

2. Run this command:

zip -q -d log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Follow the above steps for these directory as well

<DE_install_directroy>/migration/12.0-lib
<DE_install_directroy>/migration/11.3-lib

In Windows:

1. Create a new folder say “log4j_temp” in C: or D:

2. Copy the log4j-core-2.11.0.jar from <DE_install_directroy>/migration/lib folders to newly created “log4j_temp”

3. Open command prompt and navigate to log4j_temp, then issue this command:

jar -xf log4j-core-2.11.0.jar

4. The above command will the extract several directory and files inside log4j_temp.  Go to  path "org/apache/logging/log4j/core/lookup/", and delete JndiLookup.class

5. Next, go back to log4j_temp, and delete the log4j-core-2.11.0.jar.

6. Repack the jar by this command under log4j_temp folder in command prompt

jar -cf log4j-core-2.11.0.jar *

7. A new log4j-core-2.11.0.jar will be created and copy the newly created jar under migration lib folder : <DE_install_directroy>/migration/lib.

Follow the above steps for these directory as well

<DE_install_directroy>/migration/12.0-lib
<DE_install_directroy>/migration/11.3-lib

Navigate to above mentioned directories and perform steps 2 to 7.

Note: Restart of DE (ESP dSeries) is not needed.  Migrate script is only used when actual migration of DE server is done.

Workload Automation Agents are not impacted by this vulnerability.