CVE-2021-44228: Log4j Vulnerability Remediation in CA Service Desk Manager (xFlow Containers)

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Are any of the components of CA Service Desk Manager (xFlow Containers) affected by the log4j vulnerability that was announced recently - CVE-2021-44228.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Environment

Releases : 17.3

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

Step 1:

Copy the following files from the search server pod to the master node

(< 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement/64 - searchsrvr folder).

jvm.options and logging.yml files from /opt/CA/SC/SearchServer/elasticsearch/config/ folder

log4j2.xml file from /opt/CA/SC/SearchServer/search/bin folder

jvm.options file: append the following below lines to the end of the file

## Mitigate vulnerability CVE-2021-44228

-Dlog4j2.formatMsgNoLookups=true

logging.yml files: Replace all occurrences of %m%n with %m{nolookups}%n in the file

log4j2.xml file: Replace all occurrences of %m%n with %m{nolookups}%n

Step 2:

Create the configmaps using the below commands for all three files:

kubectl create configmap "jvm-options" -n casm-docker --from-file "jvm.options"

kubectl label configmap "jvm-options" -n casm-docker type="jvm-options"

kubectl create configmap "logging" -n casm-docker --from-file "logging.yml"

kubectl label configmap "logging" -n casm-docker type="logging"

kubectl create configmap "log4j2" -n casm-docker --from-file "log4j2.xml"

kubectl label configmap "log4j2" -n casm-docker type="log4j2"

Step 3: Open the 17.3RU6 and above container patch installer and navigate the < 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement/64 - searchsrvr folder

Update the volumeMounts: section with below lines in the searchsrvr-statefulset.yaml file.

- name: jvm-options

mountPath: /opt/CA/SC/SearchServer/elasticsearch/config/jvm.options

subPath: jvm-options

- name: logging

mountPath: /opt/CA/SC/SearchServer/elasticsearch/config/logging.yml

subPath: logging

- name: log4j2

mountPath: /opt/CA/SC/SearchServer/search/bin/log4j2.xml

subPath: log4j2

Step 4:

Update the volumes:section with below lines in the searchsrvr-statefulset.yaml file

- name: jvm-options

configMap:

items:

- key: jvm.options

path: jvm-options

defaultMode: 420

- name: logging

configMap:

items:

- key: logging.yml

path: logging

defaultMode: 420

- name: log4j2

configMap:

items:

- key: log4j2.xml

path: log4j2

defaultMode: 420

Step 5: Save the searchsrvr-statefulset.yaml file

Step 6. run apply.sh file from the

< 17.3RU6_dump_location>/casm-docker-installer-ServiceManagement folder

Step 7. restart the search server pod using below commands:

kubectl scale -n casm-docker statefulset searchserver --replicas=0

kubectl scale -n casm-docker statefulset searchserver --replicas=1

Step 8. connect search server pod from master node

kubectl exec -it searchserver-0 -n casm-docker bash

Step 9: check if the new changes are available or not in the all three files.

jvm.options and logging.yml files from /opt/CA/SC/SearchServer/elasticsearch/config/ folder

log4j2.xml file from /opt/CA/SC/SearchServer/search/bin folder

Step 10: run ./pdm_es_rebuild_index.sh command from search server pod

check if the log messages are displayed or not in the log files

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228