Autosys EEM Vulnerabilities - log4j-1.x classes
search cancel

Autosys EEM Vulnerabilities - log4j-1.x classes

book

Article ID: 233746

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

The infrastructure Vulnerability scanners identify some of the log4j-1.x classes to be removed from the product libraries (jars) if they are not being used by the product.

Log4j Version 1.x

CVE-2017-5645, CVE-2019-17571

  • Remove the claawRemove SocketServer.class and SocketAppender.class from your jar files
  • Ensure you do not run a log4j SocketServer, and your log4j configuration does not use a SocketAppendeR

CVE-2020-9488

  • Remove SMTPAppender.class and SMTPAppender$1.class files from your jar files
  • Ensure your log4j configuration does not use a SMTPAppender

CVE-2021-4104, CVE-2021-44228

  • Remove JMSAppender.class from your jar files
  • Ensure your log4j configuration does not use JMSAppender

Environment

Release : 12.0.01

Component : WA AE/AUTOSYS RELATED Embedded Entitlement Manager

Resolution

Broadcom's engineering team confirmed that these classes are not being used by the product and so it is not affected by any of aforementioned CVEs. The procedure is provided below to get rid of these classes from all the EEM related jar files in the Autosys environments.

For the EEM bundled with Autosys R12.0.01, the affected classes from the EEM libraries(jars) can be safely removed.

Following are instructions -

- Stop all the services.

- Take a backup of the product install directory (/opt/CA/).

 Run the following commands to remove the classes (SocketServer, JMSAppender, SMTPAppender.class, SMTPAppender$1.class) from the jar files.

EEM Server - To be executed on EEM server(s) -

      zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/bin/eiam-clustersetup.jar com/ca/eiam/log4j/net/SocketServer.class
    zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/bin/safeauditimport.jar org/apache/log4j/net/JMSAppender.class org/apache/log4j/net/SMTPAppender\$1.class org/apache/log4j/net/SMTPAppender.class org/apache/log4j/net/SocketServer.class
    zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/lib/jars/log4j-1.2.5.jar org/apache/log4j/net/JMSAppender.class org/apache/log4j/net/SMTPAppender.class org/apache/log4j/net/SocketServer.class
    zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/lib/jars/eiam-log4j-1.2.15.jar com/ca/eiam/log4j/net/SocketServer.class
    zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/uninstall/uninstaller.jar com/ca/eiam/log4j/net/SocketServer.class

Autosys(EEM SDK) - To be executed on all the Autosys servers and the webservers(AEWS) -

    zip -q -d /opt/CA/WorkloadAutomationAE/autosys/install/JARS/Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
    zip -q -d /opt/CA/WorkloadAutomationAE/autosys/install/webserver/AEWS/WEB-INF/lib/Safe.jar com/ca/eiam/log4j/net/SocketServer.class
    zip -q -d /opt/CA/WorkloadAutomationAE/autouser.PRD/webserver/webapps/AEWS/WEB-INF/lib/Safe.jar com/ca/eiam/log4j/net/SocketServer.class

WebUI(EEM SDK) - To be executed on WebUI (aka WCC) server - 

    zip -q -d /opt/CA/WorkloadAutomationAE/wcc/tomcat/webapps/asi/WEB-INF/lib/Safe.jar com/ca/eiam/log4j/net/SocketServer.class
    zip -q -d /opt/CA/WorkloadAutomationAE/wcc/tomcat/lib/eem-safex-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
    zip -q -d /opt/CA/WorkloadAutomationAE/wcc/bin/lib/eem-safex.jar com/ca/eiam/log4j/net/SocketServer.class

 Kindly run it in the lower environments before running it in critical production servers.

Additional Information

https://knowledge.broadcom.com/external/article/230309/cve202144228-log4j-vulnerability-and-au.html

Powered by Wolken Software