DX Unified Infrastructure Management

 View Only
Expand all | Collapse all

CVE-2021-44228: Log4j Vulnerability UIM impact?

TaeHyun Kim

TaeHyun KimDec 12, 2021 10:01 AM

  • 1.  CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 12, 2021 10:01 AM
    Edited by TaeHyun Kim Dec 12, 2021 07:04 PM
    Hi All

    Solved.

    Thank you.


  • 2.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 12, 2021 09:10 PM
    Hello.

    I followed the KB and the probe baseline_engine is red.

    Could you please advise to it? Thanks

    https://knowledge.broadcom.com/external/article?articleId=230333


  • 3.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 13, 2021 06:24 AM
      |   view attached
    I've created these packages which replaces the existing jar files with updated/fixed jar files
    Contains:
    ADE
    Baseline_engine
    Prediction_engine

    Attachment(s)

    zip
    log4j2_packages.zip   2.96 MB 1 version


  • 4.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 13, 2021 07:03 AM
    Dear Expert,

    Can i check which version of the CA UIM is affected to the LOG4J?
    Isit all version?


  • 5.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 13, 2021 07:05 AM
    Hello,

    It looks like  All UIM Releases through 20.3.x. are affected.

    RJ



  • 6.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 13, 2021 07:12 AM
    Hi. Thank you for the packages.
    I just deploy to the archive and to the effected UIM?


  • 7.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 13, 2021 07:13 AM
    Yes, Extract from the attached zip and the 3 packages to archive, then deploy


  • 8.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 13, 2021 07:50 PM
    Hi Nick, can these be used for all versions of UIM, including pre 20?


  • 9.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Broadcom Employee
    Posted Dec 14, 2021 08:28 AM
    Matthew,
    No, these probes are version specific and support 20.3 which is the only version currently supported. For old EOS version it will be necessary to follow the steps in the KB doc.


  • 10.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 13, 2021 07:15 AM
    Are discovery_agent/server, topology_agent not affected ?


  • 11.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 13, 2021 01:18 PM
    Followed the KB article, and went through the steps for ADE, baseline_engine, and prediction_engine.  Problem we ran into is, the JNDILookup.class file isn't there to delete; on any device where the probes are deployed.  What do we do if this file isn't there to delete?  Is this a problem?


  • 12.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Broadcom Employee
    Posted Dec 13, 2021 01:23 PM
    Hi David,

    The hotfixes for log4j vulnerability issue are now available here:

    https://support.broadcom.com/download-center/solution-detail.html?aparNo=LU03862&os=MULTI-PLATFORM

    The KB Article has also been updated with this link.

    Steve



    ------------------------------
    Support Engineer
    Broadcom
    US
    ------------------------------



  • 13.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 15, 2021 11:07 AM
    Hi All
    I am using UIM20.1
    I was not able to find the file Log4j-core-2.5.jar or log4j-core-2.7.jar in ade folder rest probes i did the changes so what does this mean for ade probe is this not vulnerable


  • 14.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 17, 2021 04:13 AM

    Hi

    The vulnerability is known to be present in 2.0 <= Apache log4j <= 2.15.0.

    I find traces of log4J also in other folders than mentioned in the KB

    What about these:

    1. ./c/buildomatic/conf_source/iePro/lib/log4j-core-2.12.1.jar
    2. ./c/buildomatic/install_resources/war/jasperserver-pro/WEB-INF/lib/log4j-core-2.12.1.jar
    3. ./c/buildomatic/target/log4j-core-2.11.2.jar
    4. ./probes/service/wasp/webapps/cabijs/WEB-INF/lib/log4j-core-2.12.1.jar
    5. ./probes/service/wasp/webapps/uimapi/WEB-INF/lib/log4j-core-2.7.jar

    1-3 are probably related to the cabi install prosess. Can the folders be removed after installation?

    As a quick step I have removed the JNDILookUp.class where found.

    What's the official response?



    ------------------------------
    [JobTitle]
    [CompanyName].com
    [Country]
    ------------------------------



  • 15.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 20, 2021 09:09 AM
    Hi all

    Just got updated that log4j version2.16 is also vulnerable so was questioned if uim uses 2.16 version or not if yes where what would be remediation

    Please suggest



  • 16.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted Dec 21, 2021 08:26 AM
    What about the log4j in discovery_agent. During our security scan they have found discovery_agent also as risk. Below is what our security team found:

    ######################
    Plugin Output:
    Path : D:\Program Files (x86)\Nimsoft\probes\service\discovery_agent\lib\log4j-1.2.17.jar
    Installed version : 1.2.17
    Fixed version : 2.16.0

    A package installed on the remote host is affected by a remote code execution vulnerability.

    The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender.

    Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

    ###########################​​ ​


  • 17.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Broadcom Employee
    Posted Dec 21, 2021 09:03 AM
    As per development:
    We have not found any explicit use of layout pattern lookups such as "${ctx:" which leads to this vulnerability. So, there is no impact. As a proactive measure we are checking on upgrading to log4j 2.17 in subsequent release/HF of the probes which use log4j2. Note: This vulnerability is not applicable for older version of log4j 1.x.


  • 18.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted 30 days ago
    Hi Everyone...

    With make upgrade to UIM 20.4 be resolve this vulnerability???


  • 19.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Broadcom Employee
    Posted 30 days ago
    20.4 addresses the vulnerabilities applicable to UIM.


  • 20.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted 23 days ago
    Hi @David Michel I have another question.
    I have another environment with UIM 20.1 I can apply the update to baseline, prediction and snmpcollector probe in a hub/robot or should be manually?​

    If I see baseline for example, indicate applicable for UIM 20.3.x

    baseline_engine_20.10_HF1
    Release Date: 13 Dec 2021
    Applicable for: UIM 20.3.x


  • 21.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted 14 days ago
    I just patched a 20.3.0 as per the LU04071 with 8x webapps/probes deployed. All went well except that my OC home page wheelspind. Most of the other OC portlets seem to work except when drilling down to a Windows server under Inventory. Do you think I should upgrade to 20.3.3 (which I cannot find on the support Downloads page) or take a 'risk' and go for the newer 20.3.4 (which is on the  support Downloads page)?


  • 22.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Broadcom Employee
    Posted 14 days ago
    20.3.3 is at the hotfix site:
    https://support.broadcom.com/external/content/release-announcements/CA-Unified-Infrastructure-Management-Hotfix-Index/7233

    However the recommendation is to upgrade to 20.4.
    If the problem remains after the upgrade open a support case.


  • 23.  RE: CVE-2021-44228: Log4j Vulnerability UIM impact?

    Posted 14 days ago
    Just to follow on to David's comment, don't get misled by the UIM version numbers. They're mostly driven off date and a perception of the number of changes that the product management group thinks is important. From a realistic point of view 20.4 is just another in a sequence of  patch versions for 20.0. It might be better named 20.0.7 for instance. From my experience it is the best version so far in the 20.x line of versions too - granted it still is far from reaching parity with the 9.x product with regards to user interface aspects but the controller/hub versions (9.34) included seem to work much better and you get the log4j fixes (minus a recent one you need to patch) out of the box and at least on windows fewer routine probe crashes.

    Also if you do have a problem that turns out to be a defect that requires a code change to correct, getting that change into 20.4.1 is going to be more easily done by Broadcom than getting it into a older version.