CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability
search cancel

CVE-2021-44228 & CVE-2021-45046: DX Netops Spectrum log4j vulnerability

book

Article ID: 230231

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

LAST UPDATE: 1/12/2022 12:35 AM EST

Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

The fixes included here also address concerns in CVE-2021-45046.

Environment

Release : 10.4.x, 20.2.x, 21.2.x

Component: SPCOCK - Spectrum OneClick

Cause

DX NetOps Spectrum is vulnerable to this CVE due to the versions of log4j shipped.

Resolution

Broadcom is suggesting that all customers upgrade to DX Netops Spectrum 21.2.8 which includes Log4J 2.17.1.  Older versions will not be patched.  The workarounds can still be followed to clear the issues, however upgrading is recommended.

DX Netops Spectrum SpectroSERVER only installations are not vulnerable.


On all OneClick Servers make the following changes:


1. Update the CA-NIM Component

- Change Directory to $SPECROOT/tomcat/webapps/ca-nim-sm/WEB-INF/config/

     cd $SPECROOT/tomcat/webapps/ca-nim-sm/WEB-INF/config/

- Edit the log4j2.xml file and add  {nolookups} to the <pattern>:

                <Appenders>
                              <RollingFile name="LOGFILE" fileName="${File}/Nim.log" filePattern="${File}/Nim.log.%i">
                                             <PatternLayout>
                                                            <pattern>[%d{dd/MM/yy HH:mm:ss:SSS z}] [%t] %5p %c{2}: %m{nolookups}%n</pattern>
                                                            <charset>UTF-8</charset>
                                             </PatternLayout>
                                             <Policies>
                                                            <SizeBasedTriggeringPolicy  size="10 MB"/>
                                             </Policies>
                                             <DefaultRolloverStrategy max="50"/>
                              </RollingFile>
               </Appenders>


CA NIM: https://knowledge.broadcom.com/external/article?articleId=230345


2. Update the jar files:

 
Remove JNDILookup.class from the log4j-core.2.x.jar files.

Remove the JndiLookup class from log4j-core.2.x.x.jar as it is not needed.

 

Linux:

- Stop the Spectrum Tomcat service and Webtomcat service.

cd $SPECROOT/tomcat/bin

./stopTomcat.sh

cd $SPECROOT/webtomcat/bin

./stopWebTomcat.sh

 

- Remove the JndiLookup class from the following jar files (Note - do not remove the files):

$SPECROOT/tomcat/webapps/ca-nim-sm/WEB-INF/lib/log4j-core-*.jar

$SPECROOT/tomcat/webapps/axis2/WEB-INF/lib/log4j-core-*.jar (It is available from axis2-1.8. version which is shipped with Spectrum 21.2.4 onwards)

$SPECROOT/webtomcat/webapps/admin/WEB-INF/lib/log4j-core-*.jar (The admin directory does not exist in Spectrum 10.4.x releases)

$SPECROOT/webtomcat/webapps/spectrum/WEB-INF/lib/log4j-core-*.jar

 

Run the following command against each jar file listed above (go in each lib directory) to remove the JndiLookup.class:

$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

- You can verify that the vulnerable jars were mitigated successfully by running the grep command line below:

$ grep -R 'JndiLookup.class'

If no file is displayed in the grep command line, then the JndiLookup.class does not exist in any file of the current directory.

Another examples of grep syntaxes:

$ grep -R 'JndiLookup.class' $SPECROOT/tomcat/webapps/ca-nim-sm/WEB-INF/lib/log4j-core-*.jar
$ grep -R 'JndiLookup.class' $SPECROOT/tomcat/webapps/axis2/WEB-INF/lib/log4j-core-*.jar
$ grep -R 'JndiLookup.class' $SPECROOT/webtomcat/webapps/admin/WEB-INF/lib/log4j-core-*.jar
$ grep -R 'JndiLookup.class' $SPECROOT/webtomcat/webapps/spectrum/WEB-INF/lib/log4j-core-*.jar

You will get the following message if you run the following syntax in Spectrum release below 21.2.4 (because the log4j-core-*.jar in axis2 folder is shipped in Spectrum 21.2.4 onwards):

$ grep -R 'JndiLookup.class' $SPECROOT/tomcat/webapps/axis2/WEB-INF/lib/log4j-core-*.jar
grep: /usr/Spectrum//tomcat/webapps/axis2/WEB-INF/lib/log4j-core-*.jar: No such file or directory

- Start the Spectrum Tomcat service and Webtomcat service.

cd $SPECROOT/tomcat/bin

./startTomcat.sh

cd $SPECROOT/webtomcat/bin

./startWebTomcat.sh

 

Windows:

These steps need to be done for each of the following JAR files:

 

$SPECROOT\tomcat\webapps\ca-nim-sm\WEB-INF\lib\log4j-core-*.jar

$SPECROOT\tomcat\webapps\axis2\WEB-INF\lib\log4j-core-*.jar (It is available from axis2-1.8. version which is shipped with Spectrum 21.2.4 onwards)

$SPECROOT\webtomcat\webapps\admin\WEB-INF\lib\log4j-core-*.jar (The admin directory does not exist in Spectrum 10.4.x releases)

$SPECROOT\webtomcat\webapps\spectrum\WEB-INF\lib\log4j-core-*.jar

 

Rename the above .jar files to .zip

Double-click the zip file to navigate into it. 

Go to the org/apache/logging/log4j/core/lookup/ folder and locate and delete JNDILookup.class.

Once the file has been deleted, rename .zip back to .jar.

Restart the Tomcat Service


Example using 7-ZIP (7z) to remove the JndiLookup.class file from a jar

Note: It is possible other compression/archiver utilities may also be used to open the jar files


Right Click on the log4j-core-2.x.xx.x.jar file 
Select: 7-Zip ~~> Open Archive



Navigate to: org\apache\logging\log4j\core\lookup\
Select: JndiLookup.class
Right Click ~~> Delete



3. Update Webtomcat (in Spectrum 10.4.1 onwards)


Linux & Windows


- Change Directory to $SPECROOT/webtomcat/webapps/spectrum/WEB-INF/classes/

     cd $SPECROOT/webtomcat/webapps/spectrum/WEB-INF/classes/

- Edit the log4j2.xml file and add  {nolookups} to EACH of the <PatternLayout> sections

     <RollingFile name="R" fileName="${sys:webswing.logsDir:-logs/}webswing.log" filePattern="${sys:webswing.logsDir:-logs/}webswing.log.%i">
                  <PatternLayout pattern="%d %-5p [%t] (%F:%L) %m{nolookups}%n" />
                  <Policies>
                                <OnStartupTriggeringPolicy />
                                <SizeBasedTriggeringPolicy size="100 MB"/>
                  </Policies>
                  <DefaultRolloverStrategy max="5" />
     </RollingFile>

     Note: There are 4 <PatternLayout> sections (the first commented out), update EACH of these with the {nolookups} option


screenshot

 

NOTE: DX NetOps 21.2.6 is shipped with log4j 2.17.0 which addresses these vulnerabilities.

https://support.broadcom.com/external/content/release-announcements/General-Availability-Announcement-for-DX-NetOps-21.2.6/19969

Reference https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to-solve-denial-of-service-vulnerability/

Additional Information

Secure Domain Connector Details here:

https://knowledge.broadcom.com/external/article?articleId=230377

Spectrum includes CAPKI, is that vulnerable?

https://knowledge.broadcom.com/external/article?articleId=230417

CVE-2021-45105: Is Spectrum affected?

https://knowledge.broadcom.com/external/article?articleId=231146

 

Some customers reported that their scan tools showing the log4j present in war files were also an issue.

Please see the below steps to remove the JNDILookup class from war files.

OBS: Below files at given locations also contains a jndiLookup class file inside it.

$SPECROOT/webtomcat/webswing.zip

$SPECROOT/webtomcat/webswing/spectrum.war

$SPECROOT/webtomcat/webswing/admin/admin.war   (admin.war is not present in 10.4.x releases)

 

Above files can be safely deleted, since it's used only during the Spectrum installation process, when it's unzipped to create the webswing directory and configurations.

 

Linux:

Stop spectrum tomcat and webtomcat services

Take a backup of the following file and keep it outside of the spectrum directory structure:

$SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/axis2.xml


Identify the .war files which are having log4j-core-*.jar.

$Specroot/tomcat/webapps/axis2.war (Effected from 21.2.4 onwards, old version having log4-1.x.jar)
$Specroot/tomcat/webapps/ca-nim-sm.war 
$Specroot/webtomcat/webapps/admin.war (Admin.war is not exist in spectrum 10.4.x releases)
$Specroot/webtomcat/webapps/spectrum.war

create temporary directory
mkdir /tmp/log4j

copy the war files to temporary directory (taking example of spectrum.war)
cp $Specroot/webtomcat/webapps/spectrum.war /tmp/log4j

Goto temporary directory
cd /tmp/log4j

extract the war file
jar -xvf spectrum.war (use corresponding war name)

once extracted remove the war file
rm -rf spectrum.war (use corresponding war name)

Search the class file in the extracted directory
grep -R 'JndiLookup.class'

It will search all of the jar files, it will be in location WEB-INF/lib/log4j-core-2.x.jar

go to corresponding location
cd WEB-INF/lib/

remove the JndiLookup.class from jar file
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

go back to temporary directory and re-pack the war
cd /tmp/log4j
jar -cvf spectrum.war *  (use corresponding war name)

Copy the war back to its install directory
cp spectrum.war /usr/Spectrum/webtomcat/webapps/

Now clear the temporary directory
 
Do the same for the remaining war files.

Restart spectrum  tomcat and webtomcat

Restore the axis2.xml file backup to SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/ directory,

Restart tomcat service only

 

Windows:

 

Stop spectrum tomcat and webtomcat services

Take a backup of the following file and keep it outside of the spectrum directory structure:

$SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/axis2.xml



Identify the .war files which are having log4j-core-*.jar.

$Specroot/tomcat/webapps/axis2.war (Effected from 21.2.4 onwards, old versions having log4-1.x.jar)
$Specroot/tomcat/webapps/ca-nim-sm.war 
$Specroot/webtomcat/webapps/admin.war (Admin.war is not exist in spectrum 10.4.x releases)
$Specroot/webtomcat/webapps/spectrum.war

 

Extract the war files to temporary directory

Go to WEB-INF/lib folder and find log4j-core-2.x.jar

Rename the above .jar files to .zip

Double-click the zip file to navigate into it.

Go to the org/apache/logging/log4j/core/lookup/ folder and locate and delete JNDILookup.class.

Once the file has been deleted, rename .zip back to .jar.

zip all the files in the temporary directory and rename it to war.

 

Copy back the war from temporary directory to install location.

Do the same for other war files.

Restart spectrum tomcat and webtomcat services

Restore the axis2.xml file backup to SPECROOT/tomcat/webapps/axis2/WEB-INF/conf/ directory,

Restart tomcat service only



Scans may show the following are vulnerable:

root@spvap01:/data/CA/Spectrum/tomcat/lib> ls -la log4j*
-rw-r----- 1 spectrum spectrum 276771 Nov 16  2020 log4j-api-2.12.1.jar
-rw-r----- 1 spectrum spectrum 350482 Nov 16  2020 log4j.jar
-rwxr-x--- 1 spectrum spectrum    702 Nov 16  2020 log4j.properties

These library files do not contain the vulnerable class. However to upgrade log4j to 2.17.1 you will need to install Spectrum 21.2.8 or higher.