search cancel

CA Application Delivery Analysis log4j vulnerability update

book

Article ID: 230341

calendar_today

Updated On:

Products

CA Application Delivery Analysis MTP (NetQoS / ADA)

Issue/Introduction

CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

CVE-2021-45046 It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Environment

CA VMTP 11.0 and CA VMTP 11.1

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

The CA VMTP components are vulnerable to this CVE due to the versions of log4j shipped.

 

As Broadcom works to upgrade the log4j shipped with CA VMTP, the following work around can be applied without affecting the product itself.

  1. Become a <dbadmin> user on a vertica node
  2. To uninstall the kafka vertica package, run:
    /opt/vertica/bin/admintools -t uninstall_package -d <dbname> -P kafka
  3. Log into vertica node as root, and run this command:
    rm -rf /opt/vertica/packages/kafka
  4. Verify package is no longer available:
    1. Become a <dbadmin> user on vertica node.
    2. Run to list packages installed, and verify kafka is not available:
      /opt/vertica/bin/admintools -t list_packages -d <dbname>

For ADA itself, SSO utlizes an older version of log4j.

Please upgrade to the ADA 11.1.3 CU01 patch on on top of it to utilize log4j 2.17.1:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/ReleaseAnnouncements/Application-Delivery-Analysis-11-1-3-CU01-Now-Available/20407

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228