ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Log4j2 vulnerability (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) information and mitigation steps for on-premises manager and LiveUpdate Administrator

book

Article ID: 230359

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Further information is required about implementing mitigation steps for Symantec Endpoint Protection Manager (SEPM) and/or LiveUpdate Administrator (LUA) from SYMSA19793.

Environment

Affected version(s)

  • SEPM versions 14.2 and above.
  • LUA versions 2.3.8 and 2.3.9.

Resolution

Endpoint Protection Manager mitigation

CVE-2021-44228 and CVE-2021-45046

SEPM 14.3 RU3 build 5427 (14.3.5427.3000) has been released to address these vulnerabilities and is available for download.  We recommend all customers migrate their SEPM(s) to this build.

If upgrading immediately is not an option, the following steps can be implemented to mitigate CVE-2021-44228 and CVE-2021-45046 until an upgrade can be completed. Ref. Log4j Security

  1. Go to [DriveLetter]:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\lib\ and locate the log4j-core-*.jar file.
  2. Copy log4j-core-*.jar to a temp folder and keep a secondary backup in another location.
  3. Stop Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager API services.
  4. Right click on the file, choose properties then uncheck Read-only check box.
  5. Add the extension .zip to log4j-core-*.jar by renaming it.  This will allow it to be opened with Windows File Explorer, 7zip or WinRAR.
  6. Open (do not extract) log4j-core-*.jar.zip with a zip utility, locate org/apache/logging/log4j/core/lookup/JndiLookup.class and delete it.
  7. Close the zip utility and reopen again to make sure the JndiLookup class is removed.
  8. Remove the .zip extension from the log4j-core-*.jar.zip.
  9. Replace the original log4j-core-*.jar file in ...<SEPM>\tomcat\lib with the recently modified version.
  10. Right click on the file, choose properties then check Read-only check box.
  11. Start Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager API services.

No SEPM functionality is impacted by implementing these steps. You can revert the System variable as per the steps provided in the additional information below.

CVE-2021-45105

SEPM is not impacted.  SEPM does not perform context lookup in any of the jars or is the affected log configuration in use.

LiveUpdate Administrator mitigation

CVE-2021-44228 and CVE-2021-45046

LUA 2.3.10 which includes log4j build 2.16 to address CVE-2021-44228 is available for download.  We recommend all customers migrate their LUAs to this build.

CVE-2021-45105

LUA is not impacted.  LUA's log4J logging configuration does not use Pattern Layout with Context Lookup.

Additional Information

Symantec Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

Threat Alert: Apache Log4j RCE (CVE-2021-44228) aka Log4Shell

 

Steps to revert previously mentioned LOG4J_FORMAT_MSG_NO_LOOKUPS System variable mitigation for SEPM or LUA.

  1. Open the System Properties window.
    • From an elevated command prompt type SystemPropertiesAdvanced then press enter.
  2. On the Advanced tab, click the Environment Variables.. button.
  3. In the System variables section select LOG4J_FORMAT_MSG_NO_LOOKUPS system variable.
  4. Click Delete button
  5. Click OK on Environment Variables window and again on System Properties window.
  6. Restart application services.
    • Symantec Endpoint Protection Manager
      • Symantec Endpoint Protection Manager
      • Symantec Endpoint Protection Manager API Service
      • Symantec Endpoint Protection Manager Webserver 
    • Live update Administrator services 
      • LUA Apache Tomcat
      • LUA PostgreSQL

 

[Japanese version] Log4j2 の脆弱性 (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) に対する管理サーバーと LiveUpdate Administrator の緩和策について