CA Service Management

Hello,

On our SDM 17.1 servers I see these two files:

C:\Program Files (x86)\CA\Service Desk Manager\java\lib\log4j-api-2.3.jar
C:\Program Files (x86)\CA\Service Desk Manager\java\lib\ log4j-core-2.3.jar

Does anyone have the specific steps to mitigate the log4j vulnerability (CVE-2021-44228) in SDM 17.1 ?

Or can confirm its the same steps?

There is only an article for SDM 17.2 & 17.3
CVE-2021-44228 - log4j Vulnerability in CA Service Desk Manager


Thanks
Stuart

For our SDM 17.1.0.11 instance for Step 2. of  CVE-2021-44228 - log4j Vulnerability in CA Service Desk Manager inside "$NX_ROOT\pdmconf\pdm_startup.i" I don't see a macro titled SDM_TELEMETRY, however this command is present in 5 other macros RPC_SRVR, PDM_MAILEATER_NXD, PDM_CATALOG_SYNC, PDM_XMATTERS_SYNC & PDM_HW_NXD
command = "$NX_JRE_INSTALL_DIR/bin/java -Djava.net.preferIPv4Stack=false

Step.3 for AMS isn't relevant for us either, as "$NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\AMS\WEB-INF\classes\log4j2.xml" doesn't exist.

Steps for our SDM 17.1.0.11 Windows Instance appear to be.

1. Open $NX_ROOT\site\cfg\sdmp.log4j.properties and find and replace
%msg%n
with
%msg{nolookups}%n

2. Open $NX_ROOT\site\cfg\sdmp.log4j.properties.tpl and find and replace
%msg%n
with
%msg{nolookups}%n

3. Open $NX_ROOT\bin\sdmp.bat and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

4. Open NX_ROOT\java\lib\log4j-core-2.3.jar with 7-Zip (As Admistrator) and delete
JndiLookup.class from org/apache/logging/log4j/core/lookup

Hi, 
I'm in the same situation but with a 17.0 version. Found the same files as you. Did you delete the JndiLookup class from the jar file (#4)? Any problems seen so far with that?
Seems that the current mitigation from the log4j team is to remove the class from the jar or upgrade. The other steps previously mentioned have been discredited. 

Thanks,
Thomas
Original Message:
Sent: Dec 16, 2021 08:38 PM
From: STUART MATTHEWS
Subject: CA Service Desk Manager 17.1 & Vulnerability CVE-2021-44228 Apache Log4j 2 &

For our SDM 17.1.0.11 instance for Step 2. of  CVE-2021-44228 - log4j Vulnerability in CA Service Desk Manager inside "$NX_ROOT\pdmconf\pdm_startup.i" I don't see a macro titled SDM_TELEMETRY, however this command is present in 5 other macros RPC_SRVR, PDM_MAILEATER_NXD, PDM_CATALOG_SYNC, PDM_XMATTERS_SYNC & PDM_HW_NXD
command = "$NX_JRE_INSTALL_DIR/bin/java -Djava.net.preferIPv4Stack=false

Step.3 for AMS isn't relevant for us either, as "$NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\AMS\WEB-INF\classes\log4j2.xml" doesn't exist.

Steps for our SDM 17.1.0.11 Windows Instance appear to be.

1. Open $NX_ROOT\site\cfg\sdmp.log4j.properties and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

2. Open $NX_ROOT\site\cfg\sdmp.log4j.properties.tpl and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

3. Open $NX_ROOT\bin\sdmp.bat and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

4. Open NX_ROOT\java\lib\log4j-core-2.3.jar with 7-Zip (As Admistrator) and delete
JndiLookup.class from org/apache/logging/log4j/core/lookup

Hi Thomas, yes I did this, I'm not aware of any issues:

4. Open NX_ROOT\java\lib\log4j-core-2.3.jar with 7-Zip (As Admistrator) and delete
JndiLookup.class from org/apache/logging/log4j/core/lookup

Original Message:
Sent: Dec 17, 2021 09:01 AM
From: Thomas Hauge
Subject: CA Service Desk Manager 17.1 & Vulnerability CVE-2021-44228 Apache Log4j 2 &

Hi,
I'm in the same situation but with a 17.0 version. Found the same files as you. Did you delete the JndiLookup class from the jar file (#4)? Any problems seen so far with that?
Seems that the current mitigation from the log4j team is to remove the class from the jar or upgrade. The other steps previously mentioned have been discredited.

Thanks,
Thomas
Original Message:
Sent: Dec 16, 2021 08:38 PM
From: STUART MATTHEWS
Subject: CA Service Desk Manager 17.1 & Vulnerability CVE-2021-44228 Apache Log4j 2 &

For our SDM 17.1.0.11 instance for Step 2. of  CVE-2021-44228 - log4j Vulnerability in CA Service Desk Manager inside "$NX_ROOT\pdmconf\pdm_startup.i" I don't see a macro titled SDM_TELEMETRY, however this command is present in 5 other macros RPC_SRVR, PDM_MAILEATER_NXD, PDM_CATALOG_SYNC, PDM_XMATTERS_SYNC & PDM_HW_NXD
command = "$NX_JRE_INSTALL_DIR/bin/java -Djava.net.preferIPv4Stack=false

Step.3 for AMS isn't relevant for us either, as "$NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\AMS\WEB-INF\classes\log4j2.xml" doesn't exist.

Steps for our SDM 17.1.0.11 Windows Instance appear to be.

1. Open $NX_ROOT\site\cfg\sdmp.log4j.properties and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

2. Open $NX_ROOT\site\cfg\sdmp.log4j.properties.tpl and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

3. Open $NX_ROOT\bin\sdmp.bat and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

4. Open NX_ROOT\java\lib\log4j-core-2.3.jar with 7-Zip (As Admistrator) and delete
JndiLookup.class from org/apache/logging/log4j/core/lookup

Hi, 
For records, I did the same and haven't seen any issues either. Searched for all log4j libraries and where I found version 2 I removed the JndiLookup class from the jar. 

Thanks,
-Thomas
Original Message:
Sent: Jan 17, 2022 04:26 PM
From: STUART MATTHEWS
Subject: CA Service Desk Manager 17.1 & Vulnerability CVE-2021-44228 Apache Log4j 2 &

Hi Thomas, yes I did this, I'm not aware of any issues:

4. Open NX_ROOT\java\lib\log4j-core-2.3.jar with 7-Zip (As Admistrator) and delete
JndiLookup.class from org/apache/logging/log4j/core/lookup

Original Message:
Sent: Dec 17, 2021 09:01 AM
From: Thomas Hauge
Subject: CA Service Desk Manager 17.1 & Vulnerability CVE-2021-44228 Apache Log4j 2 &

Hi,
I'm in the same situation but with a 17.0 version. Found the same files as you. Did you delete the JndiLookup class from the jar file (#4)? Any problems seen so far with that?
Seems that the current mitigation from the log4j team is to remove the class from the jar or upgrade. The other steps previously mentioned have been discredited.

Thanks,
Thomas
Original Message:
Sent: Dec 16, 2021 08:38 PM
From: STUART MATTHEWS
Subject: CA Service Desk Manager 17.1 & Vulnerability CVE-2021-44228 Apache Log4j 2 &

For our SDM 17.1.0.11 instance for Step 2. of  CVE-2021-44228 - log4j Vulnerability in CA Service Desk Manager inside "$NX_ROOT\pdmconf\pdm_startup.i" I don't see a macro titled SDM_TELEMETRY, however this command is present in 5 other macros RPC_SRVR, PDM_MAILEATER_NXD, PDM_CATALOG_SYNC, PDM_XMATTERS_SYNC & PDM_HW_NXD
command = "$NX_JRE_INSTALL_DIR/bin/java -Djava.net.preferIPv4Stack=false

Step.3 for AMS isn't relevant for us either, as "$NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\AMS\WEB-INF\classes\log4j2.xml" doesn't exist.

Steps for our SDM 17.1.0.11 Windows Instance appear to be.

1. Open $NX_ROOT\site\cfg\sdmp.log4j.properties and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

2. Open $NX_ROOT\site\cfg\sdmp.log4j.properties.tpl and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

3. Open $NX_ROOT\bin\sdmp.bat and find and replace
"%NX_JRE_INSTALL_DIR%/bin/java" -cp %LIB%/sdmp.jar
with
"%NX_JRE_INSTALL_DIR%/bin/java"  -Dlog4j2.formatMsgNoLookups=true -cp %LIB%/sdmp.jar

4. Open NX_ROOT\java\lib\log4j-core-2.3.jar with 7-Zip (As Admistrator) and delete
JndiLookup.class from org/apache/logging/log4j/core/lookup