CVE-2021-44228: In Apache Log4j versions >=2.0-beta9 and <=2.14.1, JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Additionally, CVE-2021-45046 was reported to affect log4j version 2.15 as the original fix for CVE-2021-44228 which was included in 2.15 only partly resolves the issue. Version 2.16 has been released as a result.
A third vulnerability, CVE-2021-45105 was reported to affect Log4j2 versions through 2.16.0 which allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
Although log4j is not externalized under UIM CABI and therefore not considered vulnerable, many customers have asked about upgrading the log4j version with CABI as a proactive measure.
This article provides specific instructions for manually upgrading the log4j libraries for the CABI installation under UIM.
Note: this applies to internal/bundled installations using the "cabi" probe only. The "cabi_external" probe is bundled with JRS 7.11 and uses log4j 1.x so it is not vulnerable and does not require any action.
The main steps for overall UIM remediation for this vulnerability can be found at KB230333
The following steps may be followed for any supported version of UIM/CABI:
Delete the following jar files from the library folder '\cabijs\WEB-INF\lib' (Recommended to take the backup of the libraries before deletion)
3. Add the following files to the library folder from the below zip file:
Download the jars from: https://www.apache.org/dyn/
4. Start the wasp probe
Note: the CABI setup files located at /Nimsoft/c/buildomatic/... may also be flagged by security scans for log4j.
These files are not in use by any process and therefore NOT considered vulnerable.
However, in order to avoid triggering security scans, we recommend replacing any log4j .jar files found in this location with the equivalent 2.17.1 jars as given above.