CVE-2021-44228 - log4j Vulnerability in CA Service Management - xFlow
search cancel

CVE-2021-44228 - log4j Vulnerability in CA Service Management - xFlow

book

Article ID: 230323

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Are any of the components of CA Service Catalog affected by the log4j vulnerability that was announced recently - 

CVE-2021-44228.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

 

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).



CA  Service Management Search Server which is an  wrapper over  elastic server uses  log4j-api and log4j-core which are of version 2.13.3

Environment

Releases : CA Service Desk Manager 17.x

  • The steps are applicable for the elastic search version - 7.10.2 which is shipped with   SDM 17.3RU6  and above.
  • Elastic search - 2.1.1 versions which are shipped with (SDM r17.2 and SDM r17.3 less than RU6)  are not vulnerable.
  • This KB article is NOT  applicable for CA Service Management 17.3 RU11 and later versions as upgraded log4j2 is provided as part of the installer. For more information refer 

 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/Release-Information/CA-Service-Management-17-3-0-11-Release-Notes.html

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

If you have already performed the below steps in earlier shared document , you can directly goto footer notes steps and perform those steps

Please follow below steps to implement the workaround to avoid the vulnerability:

In Elastic Search Server folder

log4j2.properties

 1. Navigate to elastic server installation folder path :

      Default location(Windows) :C:\Program Files\CA\SC\CASearchServer\elasticsearch-7.10.2\config

      Default location(Linux) :  /opt/CA/SC/SearchServer/elasticsearch-7.10.2/config 

 

2. Locate log4j2.properties file and replace all occurrences of %m%n with %m{nolookups}%n in the file



3. Locate jvm.options file and append the following below lines to the end of the file

  ## Mitigate vulnerability CVE-2021-44228

  -Dlog4j2.formatMsgNoLookups=true

 

4. Navigate to CA Search Server installation folder path :

     Default location(Windows) :C:\Program Files\CA\SC\CASearchServer\search\bin

     Default location(Linux) : /opt/CA/SC/SearchServer/search/bin

 

5. Locate log4j2.xml file and replace all occurrences of %m%n with %m{nolookups}%n and save the file 


6. Restart  CA  Service Management Search Server service

 

Note:

  • The above steps are applicable for the elastic search version - 7.10.2 which is shipped with   SDM 17.3RU6  and above. 
  • Elastic search - 2.1.1 versions are not vulnerable.
  • Other Components of CA xFlow Analyst User Interface  are  not vulnerable to this log4j  CVE-2021-44228 vulnerability.

 

Footer note : (Mandatory step)

WINDOWS:

Please follow below steps to implement the workaround to avoid the vulnerability:

  1.  Stop CA  Service Management Search Server service .
  2. Navigate to C:\Program Files\CA\SC\CASearchServer\search\lib
  3. Using WinRar/WinZIP or 7-Zip utility, open log4j-core-2.13.3.jar file and delete the following class:
    • org/apache/logging/log4j/core/lookup/JndiLookup.class
  4. Navigate to C:\Program Files\CA\SC\CASearchServer\elasticsearch-7.10.2
  5. Using WinRar/WinZIP or 7-Zip utility, open log4j-core-2.11.1 file and delete the following class:
    • org/apache/logging/log4j/core/lookup/JndiLookup.class
  6. Save the file and start the CA  Service Management Search Server service .



LINUX:

  1.  Stop CA  Service Management Search Server service .
  2. Navigate to /opt/CA/SC/SearchServer/search/lib  and run the following command.
    • zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  3. Navigate to /opt/CA/SC/SearchServer/elasticsearch-7.10.2/lib
    • zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  4. Save the file and start the CA  Service Management Search Server service .

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228