ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CVE-2021-44228: Log4j Vulnerability Remediation in Web Isolation

book

Article ID: 230812

calendar_today

Updated On:

Products

Web Isolation Web Isolation Cloud

Issue/Introduction

Following a thorough investigation, we have identified an underlying service that may be vulnerable to the log4j CVE-2021-44228 vulnerability. We have created a patch that addresses the vulnerability and urge you to deploy this patch to all your Web Isolation gateways as soon as possible in order to avoid service interruption or the potential of a security breach. This patch needs to be applied to all ties, proxies and the manager.

Please note this is a critical patch that needs to be applied to ensure the Web Isolation service and its dependent services remain secure and perform as expected.

Cause

Log4j CVE-2021-44228 vulnerability.

Environment

  • 1.14 is affected
  • Versions prior to 1.14 are NOT affected
  • Web Isolation Cloud environments have been patched, no action required from customers

Resolution

Retrieve the patch download links from the Support Portal.

  1. Login to https://support.broadcom.com/security

  2. Select Downloads

  3. Search for Web Isolation

  4. Select your 1.14.x release

  5. The patch files are log4jproject.tar.gz & log4j_patch_on_prem.sh


  6. Click the Generate button for a temporary download link or the cloud icon for a local download.

 

Apply the patch to each gateway.

  1. SSH to the Web Isolation gateways and login as the fireglass user.

  2. Copy the provided files to the gateway's "/home/fireglass" folder.
    cd /home/fireglass

    If the gateway has access to the Internet, use wget to retrieve the files.
    wget <temporary download link>

    If the files were downloaded locally, you can use the WinSCP client to transfer the files.

  3. Change permission level & ownership of the files.
    sudo chmod 777 log4j_patch_on_prem.sh
    sudo chmod 777 log4jproject.tar.gz

    sudo chown fireglass:fireglass log4j_patch_on_prem.sh
    sudo chown fireglass:fireglass log4jproject.tar.gz

  4. Execute the script (replace <PASSWORD> with the fireglass account password)
    su fireglass

    ./log4j_patch_on_prem.sh <PASSWORD>

Additional Information

  • The patch is 1.2GB in size.
  • There may be a log delay of up to 5 minutes in log reception with a chance of momentary loss of logs whilst applying the patch.
  • We do recommend that you take a full backup (vmware snapshot if running on ESX) before running the above patch.
  • If you have questions or concerns, please reach out to Broadcom Support or your Symantec Channel Partner/Distributor for assistance.

Attachments