CVE-2021-44228: Log4j Vulnerability Remediation in CA Service Desk Manager (xFlow Containers)
Article ID: 230332
Updated On:
Products
Issue/Introduction
Are any of the components of CA Service Desk Manager (xFlow Containers) affected by the log4j vulnerability that was announced recently - CVE-2021-44228.
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
Environment
Releases : 17.3
Cause
This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1
Resolution
Step 1:
Copy the following files from the search server pod to the master node
(< 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement/64 - searchsrvr folder).
jvm.options and logging.yml files from /opt/CA/SC/SearchServer/elasticsearch/config/ folder
log4j2.xml file from /opt/CA/SC/SearchServer/search/bin folder
Step 2:
Create the configmaps using the below commands for all three files:
kubectl create configmap "jvm-options" -n casm-docker --from-file "jvm.options"
kubectl label configmap "jvm-options" -n casm-docker type="jvm-options"
kubectl create configmap "logging" -n casm-docker --from-file "logging.yml"
kubectl label configmap "logging" -n casm-docker type="logging"
kubectl create configmap "log4j2" -n casm-docker --from-file "log4j2.xml"
kubectl label configmap "log4j2" -n casm-docker type="log4j2"
Step 3: Open the 17.3RU6 and above container patch installer and navigate the < 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement/64 - searchsrvr folder
Update the volumeMounts: section with below lines in the searchsrvr-statefulset.yaml file.
- name: jvm-options
mountPath: /opt/CA/SC/SearchServer/elasticsearch/config/jvm.options
subPath: jvm-options
- name: logging
mountPath: /opt/CA/SC/SearchServer/elasticsearch/config/logging.yml
subPath: logging
- name: log4j2
mountPath: /opt/CA/SC/SearchServer/search/bin/log4j2.xml
subPath: log4j2
Step 4:
Update the volumes:section with below lines in the searchsrvr-statefulset.yaml file
- name: jvm-options
configMap:
name: jvm-options
items:
- key: jvm.options
path: jvm-options
defaultMode: 420
- name: logging
configMap:
name: logging
items:
- key: logging.yml
path: logging
defaultMode: 420
- name: log4j2
configMap:
name: log4j2
items:
- key: log4j2.xml
path: log4j2
defaultMode: 420
Step 5: Save the searchsrvr-statefulset.yaml file
Step 6. run apply.sh file from the
< 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement folder
Step 7. restart the search server pod using below commands:
kubectl scale -n casm-docker statefulset searchserver --replicas=0
kubectl scale -n casm-docker statefulset searchserver --replicas=1
Step 8. connect search server pod from master node
kubectl exec -it searchserver-0 -n casm-docker bash
Step 9: check if the new changes are available or not in the all three files.
jvm.options and logging.yml files from /opt/CA/SC/SearchServer/elasticsearch/config/ folder
log4j2.xml file from /opt/CA/SC/SearchServer/search/bin folder
Step 10: run ./pdm_es_rebuild_index.sh command from search server pod
check if the log messages are displayed or not in the log files
Additional Information
Feedback
