CVE-2021-44228: CA Client Automation R14.5 log4j vulnerability
Published On: 10-Dec-2021
Product:
CA Client Automation R14.5
CA Client Automation R14.5 Cumulative Update 1
Issue/Introduction:
CA Client Automation R14.5 is affected by the log4j vulnerability that was announced recently - CVE-2021-44228:
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
Cause:
This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1
Environment:
Release: CA Client Automation R14.5 and above with Web Console installed.
Resolution:
You can follow either Option#1 or Option#2 to address this vulnerability.
Option#1
Release: CA Client Automation R14.5 and above are vulnerable to this CVE due to the versions of log4j shipped.
As Broadcom works to upgrade the log4j shipped with CA Client Automation, the following work around can be applied without affecting the product itself.
CA Client Automation ships following log4j2 jars
DSM\Web Console\webapps\AMS\WEB-INF\lib\ log4j-api-2.12.1.jar
DSM\Web Console\webapps\AMS\WEB-INF\lib\ log4j-core-2.12.1.jar
DSM\Web Console\webapps\wac\WEB-INF\lib log4j-api-2.12.1.jar
DSM\Web Console\webapps\wac\WEB-INF\lib\ log4j-core-2.12.1.jar
If you have already performed the below steps, you can directly go to the footer notes and perform the mandatory steps.
- Execute caf stop to stop CA Client Automation.
- Execute the following command:
ccnfcmda -cmd setparametervalue -ps itrm/common/caf/plugins/tomcat -pn commandline_start -v "\"C:\Program Files (x86)\CA\SC\JRE\1.8.0_212\bin\java.exe\" -Xrs -Dfile.encoding=utf8 -Xms128m -Xmx256m -XX:MaxPermSize=256m -classpath \"C:\Program Files (x86)\CA\SC\Tomcat\8.5.56\bin\bootstrap.jar\";\"C:\Program Files (x86)\CA\SC\Tomcat\8.5.56\bin\tomcat-juli.jar\" -Dcatalina.base=\"C:\Program Files (x86)\CA\DSM\Web Console\" -Dcatalina.home=\"C:\Program Files (x86)\CA\SC\Tomcat\8.5.56\" -Djava.io.tmpdir=\"C:\Program Files (x86)\CA\DSM\Web Console\temp\" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=\"C:\Program Files (x86)\CA\SC\Tomcat\8.5.56\conf\logging.properties\" -Dlog4j2.formatMsgNoLookups=\"true\" org.apache.catalina.startup.Bootstrap start"
Note: Tomcat, WebConsole and JRE paths may differ based on the installation. Replace the actual paths in the above command.
- Execute caf start to start CA Client Automation.
Footer note : (Mandatory step)
As Apache has suggested another step to mitigate even more of the risk, it is recommended that the JndiLookup.class be removed from log4j-core-2.12.1.jar.
The below procedure can be followed to remove the JndiLookup.class.
Execute the command caf stop
The jar file is located in the following folders.
<Installed Path>\DSM\Web Console\webapps\wac\WEB-INF\lib
<Installed Path>\DSM\Web Console\webapps\AMS\WEB-INF\lib
<Installed Path>\DSM\Web Console\webapps\pmengine\WEB-INF\lib
- Open the directory <Installed Path>\DSM\Web Console\webapps\wac\WEB-INF\lib
- Right click on log4j-core-2.12.1.jar file and select 7-zip and Open archive.
Note: Please use any available compression tool to open the jar file. In this example, we used 7-zip.
- Traverse to org\apache\logging\log4j\core\lookup\
- Right Click on class file and select the Delete option to delete the file.
- Click on the OK button to delete the file.
- Close the 7-zip window.
- Repeat the same steps for AMS and pmengine
- Execute the command caf start
Option#2
Patch has been published and is available in the support site at below link.
Patch number: 99111310
https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111310&os=WINDOWS-ALL
Additional Information
https://nvd.nist.gov/vuln/detail/CVE-2021-44228