Customer’s production environment:

Customer did a progressive upgrade from 9.8, 9.9, 9.10 and finally to 9.10.1 with purpose to mitigate log4j vulnerability. Their security team then scanned the system and found that they still detected “log4j-1.2.17.jar” vulnerability in wrapper.conf file (located in <vipeg>\server\bin) even after upgrading to latest version 9.10.1. Scanned vulnerability as follow (redacted):

Windows Process Found : '"C:\Program Files\Symantec\VIP Enterprise Gateway\jvm\bin\java" -DVRSN MAUTH HOME="C:\Program Files\Symantec\VIP Enterprise Gateway" -DLOG FILE="C:\Program Files\Symantec\VIP Enterprise Gateway\logs\startup.log" -classpath "..\bin\wrapper.jar;bootstrap.jar;..\ext\commons-logging-1.1.3.jar;..\ext\log4j-1.2.17.jar" -Dwrapper.native library="wrapper" -Dwrapper.service="TRUE" -Dwrapper.cpu.timeout="10" -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.WrapperSimpleApp com.verisign.mauth.startup.VIPEGBootstrap'. 

Support’s test environment:

In test lab, two environments (separate machines) were set up to compare their respective wrapper.conf files.

• In machine 1, the customer’s use case was replicated. VIP EG was installed first with version 9.8 and then progressively upgrade to 9.9, 9.10 and finally 9.10.1. A snippet of the content of the wrapper.conf file of version 9.10.1, as follow (also seen in customer’s wrapper.conf file). The content of version 9.8’s wrapper.conf file was carried all the way to version 9.10.1.

# Java Classpath (include wrapper.jar)  Add class path elements as

#  needed starting from 1

#  wrapper.java.classpath.3=%ORACLE_HOME%\ojdbc14.jar is added by installer.

#  wrapper.java.classpath.4=%ORACLE_HOME%\lib\ojdbc14.jar is added by installer.

wrapper.java.classpath.1=..\bin\wrapper.jar

wrapper.java.classpath.2=bootstrap.jar

wrapper.java.classpath.3=%ORACLE_HOME%\ojdbc14.jar

wrapper.java.classpath.4=%ORACLE_HOME%\lib\ojdbc14.jar

wrapper.java.classpath.3=..\ext\commons-logging-1.1.3.jar

wrapper.java.classpath.4=..\ext\log4j-1.2.17.jar

 

# Java Library Path (location of Wrapper.DLL or libwrapper.so)

wrapper.java.library.path.1=..\bin

wrapper.java.library.path.2=..\..\Validation\lib

wrapper.java.library.path.3=%ORACLE_HOME%

• In machine 2, VIP EG was installed fresh with 9.10 and then upgraded to 9.10.1. A snippet of the content of version 9.10.1 wrapper.conf file, as follow:
  
  

• Search was made on both machines to locate the physical file log4j-1.2.17.jar, and found to be non-existent

Release : Enterprise Gateway - 9.10.1

Certain VIP EG files may trigger false-positive log4j vulnerability results due to an unused classpath reference in a file to a non-existent "\ext\log4j-1.2.17.jar".

Apply below steps (below steps were tested and worked on version 9.10.1). Test on lower environment first.

1. Stop all of your VIP EG's services
   
   
2. Make a copy of your wrapper file (\server\bin folder), rename as something else, and save it to a location that it is not ran by the vulnerability scan
   
   
3. In your working wrapper file (\server\bin folder), replace the following existing entries:

with these:

4. Restart all VIP EG's services

5. Test that VIP EG works normally

6. Re-run vulnerability test