CVE-2021-44228: Is DX Netops Spectrum Domain Connector and/or TrapX vulnerable?
search cancel

CVE-2021-44228: Is DX Netops Spectrum Domain Connector and/or TrapX vulnerable?


Article ID: 230377


Updated On:


CA Spectrum DX NetOps


LAST UPDATE: 12/30/2021 7:05 AM EST

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled


DX Netops Spectrum 10.4.x, 20.2.x, 21.2.x


The Spectrum Domain Connector ships logstash which uses log4j.

Therefore, it is currently vulnerable.

The following steps can be done to resolve the issue:

$ zip -q -d /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Where /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/log4j-core-2.* are the files where the zip will remove the JndiLookup.class (org/apache/logging/log4j/core/lookup/JndiLookup.class)
You can also run these commands:
$ cd /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/
$ zip -q -d log4j-core-2.*org/apache/logging/log4j/core/lookup/JndiLookup.class
If you get the following message, that means that someone already removed the JndiLookup.class from the log4j-core-2.12.1.jar file:
zip error: Nothing to do! (/opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/log4j-core-2.12.1.jar)


For logstash-input-tcp-*.jar please, follow this slightly amended process for the tcp input jar, which may also include a vulnerable version of the log4j code:

zip -q -d /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/logstash-input-tcp-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class


Alternate method: 

1. Find the version of the tcp input jar that needs to be patched from the same directory as previously:
find . -name "logstash-input-tcp-*.jar"

2. File should be located in the following directory: 


cd /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/

3. Follow the same process for your tcp input JAR file with:

zip -q -d logstash-input-tcp-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class


NOTE for installations using multiple SDC instances on the same server. Each instance will need to have the offending class removed with command:

for i in `ls -1 /ca|grep SDM`; do zip -q -d /ca/$i/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/logstash-input-tcp-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class;done


You can verify that the vulnerable jars were mitigated successfully by running the grep command line below:

$ cd /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/

$ grep -R 'JndiLookup.class'

$ cd /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/

$ grep -R 'JndiLookup.class'


If no file is displayed in the grep command line, then the JndiLookup.class does not exist in any file of the/opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/ directory.

You can also run this syntax from any directory (as long as the /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/ is the correct path):

$ grep -R 'JndiLookup.class' /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/

Note : In windows:

Option 1:
    Rename .jar to .zip
    Double-click this file to navigate into it.  
    Go to the org/apache/logging/log4j/core/lookup/ folder and locate and delete JNDILookup.class:
    Once the file has been deleted, rename .zip back to .jar.

Option 2: If 7z is installed
    right click on the log4j-core-x.xx.x.jar file and select 7-ZIP ~~~> Open Archive
    Navigate to org/apache/logging/log4j/core/lookup/
    Select: JndiLookup.class
    Right Click: Delete

Be sure to do the same for logstash-input-tcp-*.jar


NOTE: DX NetOps 21.2.6 is shipped with log4j 2.17.0 which addresses these vulnerabilities.



Additional Information




Elastic logstash discussion:

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31