CVE-2021-44228, CVE-2021-45046 & CVE-2021-44832: Is DX Netops Performance Management (PM) affected by the Remote code injection in log4j vulnerability?

book

Article ID: 230262

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

LAST UPDATE: 1/25/2022 2:10 PM EST

Are any of the components of CAPM affected by the log4j vulnerability that was announced recently - CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled 

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

 

Only the following components are affected:

  • Data Collectors (21.2.2-21.2.6 only)
  • Data Aggregators (21.2.2-21.2.6 only)
  • Data Repository Nodes (3.7.x, 20.2.x, and 21.2.x)

 

The NetOps Portal and Data Aggregator Proxy are not affected.

Environment

All Supported Versions

 

Resolution

Data Aggregator & Data Collector:

Versions Affected: Customers running 21.2.2-21.2.6 must run the following on the DA (both DA in FT environment) and all DCs.  Version 21.2.7 ships with 2.17.1 for DA / DC karaf.  No mitigation steps are are needed for 21.2.7+

Notes:

    • Steps 5-10 are new as of 12/16/2021 to provide mitigation for CVE-2021-45046 and will need to be run even if you have already done steps 1-4.  A restart of the dadaemon or dcmd service will be required even if you have already completed steps 1-4 prior.
    • There are no updates for the DC installer that is embedded in the DA installation.  When downloading to install a new DC, or upgrading via command line or UI, be sure to apply the DC steps above after installation completes.
    • The default paths for "DA or DC install dir" are as follows:
      • DA: /opt/IMDataAggregator
      • DC: /opt/IMDataCollector

 

Make the changes:

  1. cd <DA or DC install dir>/apache-karaf-4*/etc
  2. cp -p org.ops4j.pax.logging.cfg org.ops4j.pax.logging.cfg.bak
  3. sed -i 's/%msg/%m/g' org.ops4j.pax.logging.cfg
  4. sed -i 's/%m/%m{nolookups}/g' org.ops4j.pax.logging.cfg
  5. cd <DA or DC install dir>/apache-karaf-4*/bin
  6. cp -p karaf karaf.bak
  7. sed -i 's/UnsyncloadClass/UnsyncloadClass -Dlog4j2.formatMsgNoLookups=true/g' karaf
  8. cd <DA or DC install dir>/apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2
  9. zip -d -q [12].*/pax-logging-log4j2-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  10. Restart the dadaemon or dcmd service depending on which you are altering.  ActiveMQ does NOT need to be restarted.

Verify the changes:

DA:

  1. After DA comes up, run and confirm the karaf process is found:
    •   ps -ef | grep java | grep log4j2.formatMsgNoLookups=true
  2. Run and confirm there are no %m without {nolookups}:
    •   cd <DA install dir>
    •   grep %m apache-karaf-4*/etc/org.ops4j.pax.logging.cfg
  3. Run and confirm there are no JndiLookup.class returned
    • cd <DA install dir>
    • unzip -v apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2/[12].*/pax-logging-log4j2-*.jar | grep JndiLookup

DC:

  1. After DC comes up, run and confirm the karaf process is found:
    •   ps -ef | grep java | grep log4j2.formatMsgNoLookups=true
  2. Run and confirm there are no %m without {nolookups}:
    •   cd <DC install dir>
    •   grep %m apache-karaf-4*/etc/org.ops4j.pax.logging.cfg
  3. Run and confirm there are no JndiLookup.class returned
    • cd <DC install dir>
    • unzip -v apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2/[12].*/pax-logging-log4j2-*.jar | grep JndiLookup
 
For CVE-2021-44832 the following steps must be run on the DA (both DA in FT environment) and all DCs:
    1. cd <DA or DC installdir>/apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2
    2. zip -d -q [12].*/pax-logging-log4j2-*.jar org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppender*.class
Verify the changes: Run and confirm no JdbcAppender*.class is returned:
    1. cd <DA or DC installdir >
    2. unzip -v apache-karaf-*/system/org/ops4j/pax/logging/pax-logging-log4j2/[12].*/pax-logging-log4j2-*.jar | grep JdbcAppender

 

Data Repository:

Versions Affected: All Data Repository Nodes running Vertica 9.1.1 and 10.1.1 (Performance Management 3.7.x - 21.2.x):

Notes:

  • A restart of the Vertica Database is NOT needed
  • For the below commands to run, the database needs to be online.  In a Disaster Recovery environment, it is safe to start the database to make the below changes so long as the Data Aggregator remains DOWN.

 

Vertica/Kafka:

Notes:

  • These changes apply to vertica 9.1.1 (pre-21.2.3) and 10.1.1 (21.2.3+).
  • These changes MUST be applied to fresh installs of or reapplied after upgrade to 10.1.1-0 (21.2.3+)
  1. Become <dbadmin> user on any Vertica node.
    $ su - dradmin

  2. To uninstall the Kafka Vertica package, run:

    • /opt/vertica/bin/admintools -t uninstall_package -d <dbname> -p<dbpassword> -P kafka

      Example:
      $ /opt/vertica/bin/admintools -t uninstall_package -d drdata -p dbpass -P kafka


      If
      you re-run the same syntax, you will get a message that the Kafka package is not currently installed:


      Note that the kafka package is still displayed in the following syntax:
      $ /opt/vertica/bin/admintools -t list_packages

    • If dbpassword has a special character, escape it by surrounding the password with single quotes.

  3. Log into each Vertica node as root, and run this command:

    • rm -rf /opt/vertica/packages/kafka

      After removing the kafka files, it is no longer displayed in the following syntax:

  4. No need to restart Vertica.

 

Vertica/Management Console:

Notes:

    • The Management Console is not installed by default and is likely not installed in your environment.
    • ALL steps must be completed even if you completed steps prior for CVE-2021-44228
    • These changes apply to vertica 9.1.1 (pre-21.2.3) and 10.1.1 (21.2.3+).
    • These changes MUST be applied to fresh installs of or reapplied after upgrade to 10.1.1-0 (21.2.3+)

Make the changes:

  1. login as root
  2. /etc/rc.d/init.d/vertica-consoled stop
  3. mkdir /tmp/war
  4. cd /tmp/war
  5. cp /opt/vconsole/lib/webui.war .
  6. unzip -o webui.war
  7. zip -q -d WEB-INF/lib/log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppender*.class
  8. zip -q -d webui.war WEB-INF/lib/log4j-core-*.jar
  9. sed -i 's/%m/%m{nolookups}/g' WEB-INF/classes/log4j2.xml
  10. zip -r -u webui.war WEB-INF/lib/log4j-core-*.jar WEB-INF/classes/log4j2.xml
  11. cp webui.war /opt/vconsole/lib/webui.war
  12. rm -rf /opt/vconsole/temp/*
  13. cd /tmp
  14. rm -rf /tmp/war
  15. /etc/rc.d/init.d/vertica-consoled start

Verify the changes:

  1. Run this to confirm %m{nolookups} are being used instead of %m:
    • grep %m /opt/vconsole/temp/webapp/WEB-INF/classes/log4j2.xml
  2. Run this to confirm there are no JndiLookup.class entries and JdbcAppender  class entries:
    • unzip -v /opt/vconsole/temp/webapp/WEB-INF/lib/log4j-core*.jar | grep JndiLookup
    • unzip -v /opt/vconsole/temp/webapp/WEB-INF/lib/log4j-core*.jar | grep JdbcAppender

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

https://nvd.nist.gov/vuln/detail/CVE-2021-44832

Attachments