search cancel

CVE-2021-44228: Log4j Vulnerability Remediation in CA Service Desk Manager (xFlow Containers)

book

Article ID: 230332

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Are any of the components of CA Service Desk Manager (xFlow Containers) affected by the log4j vulnerability that was announced recently - CVE-2021-44228.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Environment

Releases :  17.3

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

Step 1:

Copy the following files from the search server pod to the master node 

(< 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement/64 - searchsrvr folder).

 

    jvm.options and logging.yml files from /opt/CA/SC/SearchServer/elasticsearch/config/ folder

    log4j2.xml file from /opt/CA/SC/SearchServer/search/bin folder

jvm.options file: append the following below lines to the end of the file
 
    ## Mitigate vulnerability CVE-2021-44228
    -Dlog4j2.formatMsgNoLookups=true
 
logging.yml files: Replace all occurrences of %m%n with %m{nolookups}%n in the file
 
log4j2.xml file: Replace all occurrences of %m%n with %m{nolookups}%n

Step 2:

Create the configmaps using the below commands for all three files:



kubectl create configmap "jvm-options" -n casm-docker --from-file "jvm.options"  

 

kubectl label configmap "jvm-options" -n casm-docker type="jvm-options"

 

kubectl create configmap "logging" -n casm-docker --from-file "logging.yml"  

 

kubectl label configmap "logging" -n casm-docker type="logging"

 

kubectl create configmap "log4j2" -n casm-docker --from-file "log4j2.xml"  

 

kubectl label configmap "log4j2" -n casm-docker type="log4j2"

 

Step 3: Open the 17.3RU6 and above container patch installer and navigate the < 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement/64 - searchsrvr folder

Update the volumeMounts: section with below lines in the searchsrvr-statefulset.yaml file.   

 

          - name: jvm-options

            mountPath: /opt/CA/SC/SearchServer/elasticsearch/config/jvm.options

            subPath: jvm-options

          - name: logging

            mountPath: /opt/CA/SC/SearchServer/elasticsearch/config/logging.yml

            subPath: logging

          - name: log4j2

            mountPath: /opt/CA/SC/SearchServer/search/bin/log4j2.xml

            subPath: log4j2

 

Step 4:

Update the volumes:section with below lines in the searchsrvr-statefulset.yaml file

 

      - name: jvm-options

        configMap:

          name: jvm-options

          items:

            - key: jvm.options

              path: jvm-options

          defaultMode: 420

      - name: logging

        configMap:

          name: logging

          items:

            - key: logging.yml

              path: logging

          defaultMode: 420

      - name: log4j2

        configMap:

          name: log4j2

          items:

            - key: log4j2.xml

              path: log4j2

          defaultMode: 420



Step 5: Save the searchsrvr-statefulset.yaml file

Step 6. run apply.sh file from the 

 < 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement folder

Step 7. restart the search server pod using below commands:

                        kubectl scale -n casm-docker statefulset searchserver --replicas=0

                        kubectl scale -n casm-docker statefulset searchserver --replicas=1

 

Step 8. connect search server pod from master node

            kubectl exec -it searchserver-0 -n casm-docker bash

Step 9: check if the new changes are available or not in the all three files.

            jvm.options and logging.yml files from /opt/CA/SC/SearchServer/elasticsearch/config/ folder

            log4j2.xml file from /opt/CA/SC/SearchServer/search/bin folder

Step 10: run ./pdm_es_rebuild_index.sh command from search server pod

check if the log messages are displayed or not in the log files

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228