CVE-2021-44228 & CVE-2021-45046: Is DX Netops vulnerable to the Log4J security issue?
search cancel

CVE-2021-44228 & CVE-2021-45046: Is DX Netops vulnerable to the Log4J security issue?

book

Article ID: 230391

calendar_today

Updated On:

Products

CA Spectrum DX NetOps CA Network Flow Analysis (NetQos / NFA) CA Virtual Network Assurance

Issue/Introduction

LAST TECHNICAL UPDATE: MARCH 17th, 2022 @ 12:00 PM EST

Are DX NetOps components vulnerable to the Log4J vulnerability CVE-2021-44228 & CVE-2021-45046?

 

Components List:

DX Netops Spectrum

DX Netops Portal

DX Netops Performance Management

DX Netops Virtual Network Assurance

DX Netops Network Flow Analysis

DX Netops OI Connector

DX Netops Spectrum Data Publisher (DX OI)

DX Netops Mediation Manager

DX Netops Secure Domain Connector (SDC) with Trap Exploder (TrapX)

CABI Jaspersoft

 

Environment

DX Netops Spectrum

DX Netops Portal / Performance Management

DX Netops VNA

DX Netops NFA

DX Netops Mediation Manager

DX Netops OI Connector

DX Netops Spectrum Data Publisher

CABI Jaspersoft

 

Cause

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Resolution

The DX NetOps 21.2.8 Service Pack provides software updates to remediate the Log4j 2 CVE-2021-44228 Vulnerability; as needed, components of DX NetOps have been upgraded to Log4j 2.17.1. Customers who have DX NetOps 21.2.x installed have the option to upgrade to DX NetOps 21.2.8 or follow manual remediation steps in this KB. Upgrading to DX NetOps 21.2.8 is Broadcom's recommended path to ensure the maximum coverage against the disclosed vulnerabilities and future risk reduction in the shortest amount of time.

Please note that after upgrading to DX NetOps 21.2.8 there still might be manual steps required as described in the KBs listed below for specific affected NetOps products and components.
Always review the notes under 'Additional Information' section to verify changes that may have been added to any of the KBs for specific affected NetOps products and components. 

 

Versions of Log4J Included with DX Netops: Log4J Versions

 

Affected Components:

Spectrum: https://knowledge.broadcom.com/external/article?articleId=230231

Spectrum Data Publisher: https://knowledge.broadcom.com/external/article?articleId=230435

Spectrum SDC/TrapX: https://knowledge.broadcom.com/external/article?articleId=230377

DX NetOps Performance Management DR/DA/DC: https://knowledge.broadcom.com/external/article?articleId=230262

DX OI Connector for NetOps: https://knowledge.broadcom.com/external/article?articleId=230233

 

Unaffected Components:

DX NetOps NetOps Portal (PC / Performance Center)

DX NetOps Data Aggregator Proxy (DAProxy)

DX NetOps Network Flow Analysis (NFA)

DX NetOps Virtual Network Assurance (VNA)

DX NetOps Mediation Manager (MM)

CA Business Intelligence - Jasper Reports Server (CABI)

Additional Information

Running Change Log for all related KB Articles:

Date: 3/17/2022 12:00 PM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: Is DX Netops vulnerable to the Log4J security issue?

Changes: Updated to include 21.2.8 as the current recommendation and not 21.2.6.

 

Date: 2/18/2022 2:00 PM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: Is DX Netops vulnerable to the Log4J security issue?

Changes: Add new KB link to include log4j versions

 

Date: 1/25/2022 2:15 PM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability? - 230262

Changes: added a line to the versioning section under DA/DC stating no mitigation steps needed for DA / DC with version 21.2.7+

 

Date: 1/6/2022 10:00AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability? - 230262

Changes:

1. Updated title to include CVE-2021-44832
2. Under 'Data Aggregator & Data Collector:' section updated 'Versions Affected:' from 21.2.2+ to 21.2.2-21.2.5
3. Added an additional section under 'Data Aggregator & Data Collector:' to address the JdbcAppender class noted in CVE-2021-44832
4. Notes added to 'Vertica/Kafka:' section:

o These changes apply to vertica 9.1.1 (pre-21.2.3) and 10.1.1 (21.2.3+).
o These changes MUST be reapplied after upgrade to 10.1.1-0 (21.2.3+)

5. Additional notes added to the 'Vertica/Management Console:' section:

o These changes apply to vertica 9.1.1 (pre-21.2.3) and 10.1.1 (21.2.3+).
o These changes MUST be reapplied after upgrade to 10.1.1-0 (21.2.3+)

6. Under the 'Vertica/Management Console:' / 'Make the changes:' section updated step 7 to include the JdbcAppender
o   zip -q -d WEB-INF/lib/log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppender*.class

7. Under the 'Vertica/Management Console:' / 'Make the changes:' / 'Verify the changes:' added additional bullet point for the JdbcAppender class entry
o unzip -v /opt/vconsole/temp/webapp/WEB-INF/lib/log4j-core*.jar | grep JdbcAppender

 

Date: 12/30/2021 9:20 AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability - 230231

Changes: Added steps about backing up/restoring the $SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/axis2.xml file, related with CAPC integration.

 

Date: 12/30/2021 7:15 AM EST

Which KB Title - ID: CVE-2021-44228: Is DX Netops Spectrum Domain Connector and/or TrapX vulnerable? - 230391

Changes: Updated information about DX Netops 21.2.6 release status

 

Date: 12/29/2021 10:05 AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability - 230231

Changes: Added info about jndi class found inside $SPECROOT/webtomcat/webswing.zip file

 

Date: 12/29/2021 5:00 AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability - 230231

Changes:

1. Added the steps in Additional Information to remove the JNDILookup.class from the war files.

2. Added link to CVE-2021-45105: Is Spectrum affected? in Additional Information.

3. Updated that Spectrum 21.2.6 is GA

 

Date: 12/27/2021 1:00 PM EST

Which KB Title - ID: CVE-2021-44228: Is DX Netops vulnerable to the Log4J security issue? - 230391

Changes:

1. Added entry to resolution to indicate 21.2.6 will resolve existing vulnerabilities around Log4J issues.  2.17 version released with.  21.2.6 GA.

 

Date: 12/17/2021 11:00 AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability? - 230262

Changes:

1. Added two new entries to the Notes sections of the DA/DC and Kafka/Vertica areas as well as combined each note under a "Notes" section within each area

2. New notes are:

Data Aggregator & Data Collector:

      • There are no updates for the DC installer that is embedded in the DA installation. When downloading to install a new DC, or upgrading via command line or UI, be sure to apply the DC steps above after installation completes.

Data Repository:

      • For the below commands to run, the database needs to be online. In a Disaster Recovery environment, it is safe to start the database to make the below changes so long as the Data Aggregator remains DOWN.

 

Date: 12/16/2021 12:46 PM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability - 230231

Changes:

1. Added steps to verify the vulnerable jars were mitigated successfully and a note that Log4j-core-*.jar is shipped with 21.2.4 onwards in axis2 directory.

2. Added a note about de admin folder in Spectrum 10.4.x releases.

 

Date: 12/15/2021 9:50 AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability? - 230262

Changes:

1. Added an additional step in the DA & DC steps to remove the JndiLookup.class

2. Added verification steps for the same 

 

Date: 12/15/2021 5:30 PM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability? - 230262

Changes:

1. Modification to steps to mitigate CVE-2021-45046

2. Added steps 5 - 8 within the Data Aggregator & Data Collector section

3. Made note that for the new steps, dadaemon and dcmd will need to be restarted

4. Restructured the steps for the Vertica/Management Console steps to include a new process that covers steps for both CVE-2021-44228 & CVE-2021-45046

 

 

Date: 12/15/2021 12:46 PM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability - 230231

Changes:

1. Edited step 2 to include removing JNDI class to handle updated CVE from Apache

2. Removed steps no longer required

 

Date: 12/15/2021 12:00 PM EST

Which KB Title - ID: CVE-2021-44228: Is DX Netops vulnerable to the Log4J security issue? - 230391 

Changes: 

1. Restructured content to provide direct links to affected component KB Articles

2. Listed unaffected NetOps components

3. Added Change Log to track update times and content for this KB Article as well as the underlying component products listed in the Resolution section

 

 

Date: 12/16/2021 02:00 AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability - 230231

Changes: Removed Screenshot that was showing the deletion of incorrect file JavaLookup.class and replaced it with a screenshot showing deletion of correct file JNDILookup.class

 

Date: 12/16/2021 04:30 AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: Is the Spectrum Data Publisher vulnerable?  - 230656 

Changes:  Archived KB article as per instructions from L2 as was duplicate of 230435.

 

Date: 12/16/2021 04:30 AM EST

Which KB Title - ID: CVE-2021-44228: Is DX Netops vulnerable to the Log4J security issue? - 230391 

Changes:  Changed link from archive article to article 230435.

 

Date: 12/16/2021 09:00 AM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046:: DX Netops Spectrum Data Publisher log4j vulnerability - 230435

Changes:  Changed title to include & CVE-2021-45046.

 

Date: 12/21/2021 4:30 PM EST

Which KB Title - ID: CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability - 230231

Changes: Moved CAPKI reference to Additional Information. Added Spectrum 21.2.6 will contain log4j 2.17.0 which addresses these vulnerabilities.

 

Date: 12/21/2021 4:30 PM EST

Which KB Title - ID: CVE-2021-44228: Is DX Netops Spectrum Domain Connector and/or TrapX vulnerable? - 230277

Changes: Added Spectrum 21.2.6 will contain log4j 2.17.0 which addresses these vulnerabilities.

 

Date: 12/29/2021 3:30 AM EST

Which KB Title - ID:CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability -  230231

Changes: Added under Additional Information steps from SE to remove JNDILookup.class from war files.

 

Date: 12/29/2021 3:45 AM EST

Which KB Title - ID:CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability -  230231

Changes: Added under Additional Information link to CVE-2021-45105 Is Spectrum Vulnerable?