CVE-2021-44228: Is DX Netops Spectrum Domain Connector and/or TrapX vulnerable?
Article ID: 230377
Updated On:
Products
Issue/Introduction
LAST UPDATE: 12/30/2021 7:05 AM EST
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
Environment
DX Netops Spectrum 10.4.x, 20.2.x, 21.2.x
Resolution
The Spectrum Domain Connector ships logstash which uses log4j.
Therefore, it is currently vulnerable.
The following steps can be done to resolve the issue:
For logstash-input-tcp-*.jar please, follow this slightly amended process for the tcp input jar, which may also include a vulnerable version of the log4j code:
Command: zip -q -d /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/logstash-input-tcp-*.jar org/apache/logging/log4j/core/
Alternate method:
1. Find the version of the tcp input jar that needs to be patched from the same directory as previously:find . -name "logstash-input-tcp-*.jar"
2. File should be located in the following directory:
/opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/
cd /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/
3. Follow the same process for your tcp input JAR file with:
zip -q -d logstash-input-tcp-*.jar org/apache/logging/log4j/core/
NOTE for installations using multiple SDC instances on the same server. Each instance will need to have the offending class removed with command:
for i in `ls -1 /ca|grep SDM`; do zip -q -d /ca/$i/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/logstash-input-tcp-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class;done
You can verify that the vulnerable jars were mitigated successfully by running the grep command line below:
$ cd /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/
$ grep -R 'JndiLookup.class'
$ cd /opt/CA/SDMConnector/LogMonitor/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.4-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.4/
$ grep -R 'JndiLookup.class'
If no file is displayed in the grep command line, then the JndiLookup.class does not exist in any file of the/opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/ directory.
You can also run this syntax from any directory (as long as the /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/ is the correct path):
$ grep -R 'JndiLookup.class' /opt/CA/SDMConnector/LogMonitor/logstash/logstash-core/lib/jars/
Option 1:
Rename .jar to .zip
Double-click this file to navigate into it.
Once the file has been deleted, rename .zip back to .jar.
Option 2: If 7z is installed
right click on the log4j-core-x.xx.x.jar file and select 7-ZIP ~~~> Open Archive
Select: JndiLookup.class
Right Click: Delete
Be sure to do the same for logstash-input-tcp-*.jar
NOTE: DX NetOps 21.2.6 is shipped with log4j 2.17.0 which addresses these vulnerabilities.
Additional Information
Elastic logstash discussion:
Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Feedback
