PM vulnerabilities CVE-2021-4104, CVE-2020-9488, CVE-2019-17571
Article ID: 231288
Updated On:
Products
Issue/Introduction
My Performance Management servers DA/DC are exposed to log4j vulnerability CVE-2021-4104, CVE-2020-9488, CVE-2019-1757. Please, how can we resolve it?
Our security team provided scans that reported a vulnerability on the DR DB cluster. How can we remediate this? How is is resolved?
Location Path:/opt/vertica/packages/kafka/lib/log4j-core-2.12.4.jar
Detailed Name:org.apache.logging.log4j:log4j-core
CVE: CVE-2020-9488
Environment
All supported DX NetOps Performance Management releases
Resolution
CVE-2021-4104, CVE-2020-9488, CVE-2019-1757 affects only Log4j 1.2 and does not impact the Log4j 2.x branch.
DX NetOps PM doesn't use JMSAppender, SocketServer, or SMTPAppender in DA/DC/NetOps Portal, so it is not vulnerable.
However to be on the safe side we have these remediation steps to remove the class from the jar file if wanted.
- On DA and/or DC systems run the following:
- $ zip -q -d <DA/DC installdir>/broker/apache-activemq-5.*/lib/optional/log4j-1.2.17.jar org/apache/log4j/net/SocketServer.class org/apache/log4j/net/JMSAppender.class org/apache/log4j/net/SMTPAppender*.class
- On the Portal web server host run the following:
- $ zip -q -d <PC installdir>/PerformanceCenter/jetty/lib/ext/log4j-1.2.*.jar org/apache/log4j/net/SocketServer.class org/apache/log4j/net/JMSAppender.class org/apache/log4j/net/SMTPAppender*.class
Run this query to confirm the SocketServer.class, JMSAppender.class, and SMTPAppender*.class were removed from the log4j file:
- $ for i in $(find . 2>/dev/null | grep log4j | grep .jar); do echo $i; unzip -l $i 2>/dev/null | grep 'SocketServer.class\|JMSAppender.class\|SMTPAppender*.class'; done
These steps apply to:
- PM 21.2.1 and older DA/DC karaf installs. PM DA/DC 21.2.2+ uses log4j2 which is not vulnerable to CVE-2021-4104.
- All DA/DC prior to 21.2.9 due to ActiveMQ, as it still uses log4j 1.2.17.
- All NetOps Portals prior to 21.2.8 as it still uses log4j 1.2.17.
Data Repository versions from Performance Management releases 21.2.12 and earlier are impacted by this Low severity vulnerability. These are systems using Vertica versions 10.1.1-0 and earlier. To remediate this for Data Repository Vertica clusters:
- Upgrade to Performance Management releases 22.2+ which come with Vertica version 10.1.1-20. This brings with it log4j version 2.12.4 which remediates CVE-2020-9488 via a newer Apache Log4j version than those impacted.
- In releases 21.2.12 and earlier, to remove the Kafka package pending upgrade to a newer remediated release, follow these steps.
- To remove Kafka follow the Data Repository steps in the Resolution of the following Knowledge Base article.
- CVE-2021-44228, CVE-2021-45046 & CVE-2021-44832: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability?
Additional Information
When you get a message like below it means that the mitigation to remove the SocketServer.class, JMSAppender.class, and SMTPAppender*.class' was already performed:
zip error: Nothing to do! (/opt/IMDataAggregator/broker/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar)
You can confirm if the SocketServer.class, JMSAppender.class, and were already removed by running the following command line:
In the example below, the SocketServer.class, JMSAppender.class, and SMTPAppender*.class' are still in the log4j-1.2.17.jar file, the mitigation was not yet performed:
# for i in $(find . 2>/dev/null | grep log4j | grep .jar); do echo $i; unzip -l $i 2>/dev/null | grep 'SocketServer.class\|JMSAppender.class\|SMTPAppender*.class'; done
./broker/apache-activemq-5.16.2/lib/optional/slf4j-log4j12-1.7.30.jar
./broker/apache-activemq-5.16.2/lib/optional/log4j-1.2.17.jar
8047 05-06-2012 13:00 org/apache/log4j/net/JMSAppender.class
14198 05-06-2012 13:00 org/apache/log4j/net/SMTPAppender.class
3598 05-06-2012 13:00 org/apache/log4j/net/SimpleSocketServer.class
5788 05-06-2012 13:00 org/apache/log4j/net/SocketServer.class
./broker/apache-activemq-5.16.2/lib/optional/activemq-log4j-appender-5.16.2.jar
./broker/apache-activemq-5.16.2/lib/optional/insight-log4j-1.2.0.Beta4.jar
./apache-karaf-4.3.3/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.13/pax-logging-log4j2-2.0.13.jar
# for i in $(find . 2>/dev/null | grep log4j | grep .jar); do echo $i; unzip -l $i 2>/dev/null | grep 'SocketServer.class\|JMSAppender.class\|SMTPAppender*.class'; done
./broker/apache-activemq-5.16.2/lib/optional/slf4j-log4j12-1.7.30.jar
./broker/apache-activemq-5.16.2/lib/optional/activemq-log4j-appender-5.16.2.jar
./broker/apache-activemq-5.16.2/lib/optional/insight-log4j-1.2.0.Beta4.jar
./broker/apache-activemq-5.16.2/lib/optional/log4j-1.2.17.jar
3598 05-06-2012 13:00 org/apache/log4j/net/SimpleSocketServer.class
./backup/apache-karaf/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.2/pax-logging-log4j2-1.10.2.jar
3442 04-02-2017 13:24 org/apache/logging/log4j/core/net/server/AbstractSocketServer.class
1538 04-02-2017 13:24 org/apache/logging/log4j/core/net/server/SecureTcpSocketServer.class
9310 04-02-2017 13:24 org/apache/logging/log4j/core/net/server/TcpSocketServer.class
6156 04-02-2017 13:24 org/apache/logging/log4j/core/net/server/UdpSocketServer.class
./apache-karaf-4.3.3/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.13/pax-logging-log4j2-2.0.13.jar
If the mitigation was done, you will not see the SocketServer.class, JMSAppender.class, or SMTPAppender*.class in the outputs above.
Feedback
