CVE-2021-44228, CVE-2021-45046 & CVE-2021-44832: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability?
search cancel

CVE-2021-44228, CVE-2021-45046 & CVE-2021-44832: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability?

book

Article ID: 230262

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

LAST UPDATE: 09/13/2023

Are any of the components of CAPM affected by the log4j vulnerability that was announced recently - CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled 

Recent update 09/13/23: It appears some recent scans have been triggering on the following files on the Data Repository:

/opt/vertica/packages/kafka/lib/log4j-api-2.12.4.jar

/opt/vertica/packages/kafka/lib/log4j-core-2.12.4.jar

Environment

All Supported Versions

 

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

 

Only the following components are affected:

  • Data Collectors (21.2.2-21.2.6 only)
  • Data Aggregators (21.2.2-21.2.6 only)
  • Data Repository Nodes (3.7.x, 20.2.x, and 21.2.x)

 

The NetOps Portal and Data Aggregator Proxy are not affected.

Resolution

Data Aggregator & Data Collector:

Versions Affected: Customers running 21.2.2-21.2.6 must run the following on the DA (both DA in FT environment) and all DCs.  Version 21.2.7 ships with 2.17.1 for DA / DC karaf.  No mitigation steps are are needed for 21.2.7+

Notes:

    • Steps 5-10 are new as of 12/16/2021 to provide mitigation for CVE-2021-45046 and will need to be run even if you have already done steps 1-4.  A restart of the dadaemon or dcmd service will be required even if you have already completed steps 1-4 prior.
    • There are no updates for the DC installer that is embedded in the DA installation.  When downloading to install a new DC, or upgrading via command line or UI, be sure to apply the DC steps above after installation completes.
    • The default paths for "DA or DC install dir" are as follows:
      • DA: /opt/IMDataAggregator
      • DC: /opt/IMDataCollector

 

Make the changes:

  1. cd <DA or DC install dir>/apache-karaf-4*/etc
  2. cp -p org.ops4j.pax.logging.cfg org.ops4j.pax.logging.cfg.bak
  3. sed -i 's/%msg/%m/g' org.ops4j.pax.logging.cfg
  4. sed -i 's/%m/%m{nolookups}/g' org.ops4j.pax.logging.cfg
  5. cd <DA or DC install dir>/apache-karaf-4*/bin
  6. cp -p karaf karaf.bak
  7. sed -i 's/UnsyncloadClass/UnsyncloadClass -Dlog4j2.formatMsgNoLookups=true/g' karaf
  8. cd <DA or DC install dir>/apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2
  9. zip -d -q [12].*/pax-logging-log4j2-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  10. Restart the dadaemon or dcmd service depending on which you are altering.  ActiveMQ does NOT need to be restarted.

Verify the changes:

DA:

  1. After DA comes up, run and confirm the karaf process is found:
    •   ps -ef | grep java | grep log4j2.formatMsgNoLookups=true
  2. Run and confirm there are no %m without {nolookups}:
    •   cd <DA install dir>
    •   grep %m apache-karaf-4*/etc/org.ops4j.pax.logging.cfg
  3. Run and confirm there are no JndiLookup.class returned
    • cd <DA install dir>
    • unzip -v apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2/[12].*/pax-logging-log4j2-*.jar | grep JndiLookup

DC:

  1. After DC comes up, run and confirm the karaf process is found:
    •   ps -ef | grep java | grep log4j2.formatMsgNoLookups=true
  2. Run and confirm there are no %m without {nolookups}:
    •   cd <DC install dir>
    •   grep %m apache-karaf-4*/etc/org.ops4j.pax.logging.cfg
  3. Run and confirm there are no JndiLookup.class returned
    • cd <DC install dir>
    • unzip -v apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2/[12].*/pax-logging-log4j2-*.jar | grep JndiLookup
 
For CVE-2021-44832 the following steps must be run on the DA (both DA in FT environment) and all DCs:
    1. cd <DA or DC installdir>/apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2
    2. zip -d -q [12].*/pax-logging-log4j2-*.jar org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppender*.class
Verify the changes: Run and confirm no JdbcAppender*.class is returned:
    1. cd <DA or DC installdir >
    2. unzip -v apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2/[12].*/pax-logging-log4j2-*.jar | grep JdbcAppender

 

Data Repository:

Versions Affected: All Data Repository Nodes running Vertica 9.1.1 and 10.1.1 (Performance Management 3.7.x - 21.2.x):

Notes:

  • A restart of the Vertica Database is NOT needed
  • For the below commands to run, the database needs to be online.  In a Disaster Recovery environment, it is safe to start the database to make the below changes so long as the Data Aggregator remains DOWN.
  • 09/13/23 Update: Recent scans are finding this again - indicating that 2.17.x is the fix.

 

Vertica/Kafka:

Notes:

  • These changes apply to vertica 9.1.1 (pre-21.2.3) and 10.1.1 (21.2.3+).
  • These changes MUST be applied to fresh installs of or reapplied after upgrade to 10.1.1-0 (21.2.3+)
  1. Become <dbadmin> user on any Vertica node.
    $ su - dradmin

  2. To uninstall the Kafka Vertica package, run:

    • /opt/vertica/bin/admintools -t uninstall_package -d <dbname> -p<dbpassword> -P kafka

      Example:
      $ /opt/vertica/bin/admintools -t uninstall_package -d drdata -p dbpass -P kafka


      If
      you re-run the same syntax, you will get a message that the Kafka package is not currently installed:


      Note that the kafka package is still displayed in the following syntax:
      $ /opt/vertica/bin/admintools -t list_packages

    • If dbpassword has a special character, escape it by surrounding the password with single quotes.

  3. Log into each Vertica node as root, and run this command:

    • rm -rf /opt/vertica/packages/kafka

      After removing the kafka files, it is no longer displayed in the following syntax:

  4. No need to restart Vertica.

 

Vertica/Management Console:

Notes:

    • The Management Console is not installed by default and is likely not installed in your environment.
    • ALL steps must be completed even if you completed steps prior for CVE-2021-44228
    • These changes apply to vertica 9.1.1 (pre-21.2.3) and 10.1.1 (21.2.3+).
    • These changes MUST be applied to fresh installs of or reapplied after upgrade to 10.1.1-0 (21.2.3+)

Make the changes:

  1. login as root
  2. /etc/rc.d/init.d/vertica-consoled stop
  3. mkdir /tmp/war
  4. cd /tmp/war
  5. cp /opt/vconsole/lib/webui.war .
  6. unzip -o webui.war
  7. zip -q -d WEB-INF/lib/log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppender*.class
  8. zip -q -d webui.war WEB-INF/lib/log4j-core-*.jar
  9. sed -i 's/%m/%m{nolookups}/g' WEB-INF/classes/log4j2.xml
  10. zip -r -u webui.war WEB-INF/lib/log4j-core-*.jar WEB-INF/classes/log4j2.xml
  11. cp webui.war /opt/vconsole/lib/webui.war
  12. rm -rf /opt/vconsole/temp/*
  13. cd /tmp
  14. rm -rf /tmp/war
  15. /etc/rc.d/init.d/vertica-consoled start

Verify the changes:

  1. Run this to confirm %m{nolookups} are being used instead of %m:
    • grep %m /opt/vconsole/temp/webapp/WEB-INF/classes/log4j2.xml
  2. Run this to confirm there are no JndiLookup.class entries and JdbcAppender  class entries:
    • unzip -v /opt/vconsole/temp/webapp/WEB-INF/lib/log4j-core*.jar | grep JndiLookup
    • unzip -v /opt/vconsole/temp/webapp/WEB-INF/lib/log4j-core*.jar | grep JdbcAppender

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

https://nvd.nist.gov/vuln/detail/CVE-2021-44832