search cancel

CVE-2021-44228: Is DX Netops Spectrum Domain Connector and/or TrapX vulnerable?

book

Article ID: 230377

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

LAST UPDATE: 12/30/2021 7:05 AM EST

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Environment

DX Netops Spectrum 10.4.x, 20.2.x, 21.2.x

Resolution

The Spectrum Domain Connector ships logstash which uses log4j.

Therefore, it is currently vulnerable.

The following steps can be done to resolve the issue:

Command:
$ zip -q -d /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
 
Where /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/log4j-core-2.* are the files where the zip will remove the JndiLookup.class (org/apache/logging/log4j/core/lookup/JndiLookup.class)
 
 
 
You can also run these commands:
$ cd /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/
$ zip -q -d log4j-core-2.*org/apache/logging/log4j/core/lookup/JndiLookup.class
 
 
If you get the following message, that means that someone already removed the JndiLookup.class from the log4j-core-2.12.1.jar file:
zip error: Nothing to do! (/opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/log4j-core-2.12.1.jar)
 

 

For logstash-input-tcp-*.jar please, follow this slightly amended process for the tcp input jar, which may also include a vulnerable version of the log4j code:

Command: 
zip -q -d /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/logstash-input-tcp-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

Alternate method: 

1. Find the version of the tcp input jar that needs to be patched from the same directory as previously:
find . -name "logstash-input-tcp-*.jar"

2. File should be located in the following directory: 

/opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/

cd /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/

3. Follow the same process for your tcp input JAR file with:

zip -q -d logstash-input-tcp-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

NOTE for installations using multiple SDC instances on the same server. Each instance will need to have the offending class removed with command:

for i in `ls -1 /ca|grep SDM`; do zip -q -d /ca/$i/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/logstash-input-tcp-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class;done

 

You can verify that the vulnerable jars were mitigated successfully by running the grep command line below:

$ cd /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/

$ grep -R 'JndiLookup.class'

$ cd /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/

$ grep -R 'JndiLookup.class'

 

If no file is displayed in the grep command line, then the JndiLookup.class does not exist in any file of the/opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/ directory.

You can also run this syntax from any directory (as long as the /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/ is the correct path):

$ grep -R 'JndiLookup.class' /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/

 
 
 
Note : In windows:

Option 1:
    Rename .jar to .zip
    Double-click this file to navigate into it.  
    Go to the org/apache/logging/log4j/core/lookup/ folder and locate and delete JNDILookup.class:
    Once the file has been deleted, rename .zip back to .jar.


Option 2: If 7z is installed
    right click on the log4j-core-x.xx.x.jar file and select 7-ZIP ~~~> Open Archive
   
   
 
    
    Navigate to org/apache/logging/log4j/core/lookup/
    Select: JndiLookup.class
    Right Click: Delete
   
 

Be sure to do the same for logstash-input-tcp-*.jar

 

NOTE: DX NetOps 21.2.6 is shipped with log4j 2.17.0 which addresses these vulnerabilities.

Reference https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to-solve-denial-of-service-vulnerability/

Reference: https://discuss.elastic.co/t/logstash-5-0-0-6-8-20-and-7-0-0-7-16-0-log4j-cve-2021-44228-cve-2021-45046-remediation/292343

Additional Information

 

 

 

Elastic logstash discussion:

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Attachments