ESP dSeries Workload Automation

ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE

Please note that Agents are not shipping any version of log4j.

ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE

Please note that Agents are not shipping any version of log4j.

ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE

Please note that Agents are not shipping any version of log4j.

ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE

Please note that Agents are not shipping any version of log4j.

ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE

Please note that Agents are not shipping any version of log4j.

****Please note that the mitigation procedure is updated by Apache and as a result , we have updated the kb article - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE.  Please review it again for the new procedure.****

ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE

Please note that Agents are not shipping any version of log4j.

Added comments for Web Client as well -

We have reviewed the Web Client log4j during analyzing all the components and since we use SpringBoot component for it, according to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

"Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable. "

Since we are using default spring logging , so we are not affected by this even though the log4j2 jars are present in 12.3 version.

DE Server / Web Client Patches:

ESP Workload Automation DE and Web Client patches to address Log4j Vulnerability patched with log4j.2.16 jar version. 

Web Client (12.3.00.00-2321) – 99111317  --  https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111317&os=MULTI-PLATFORM

DE (dSeries) Server  – 99111315   --  https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111315&os=MULTI-PLATFORM

Web Client Patch is only for r12.3 version, other supported web client versions are not affected (Normal Cumulative patch).

DE (dSeries) Server Patch is for r12.1, r12.2, r12.3 supported DE versions. No need to shutdown the server. This has to be applied on Server, Standby and Standalone installation.

****Please note that the mitigation procedure is updated by Apache and as a result , we have updated the kb article - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE.  Please review it again for the new procedure.****

ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE

Please note that Agents are not shipping any version of log4j.

Added comments for Web Client as well -

We have reviewed the Web Client log4j during analyzing all the components and since we use SpringBoot component for it, according to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

"Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable. "

Since we are using default spring logging , so we are not affected by this even though the log4j2 jars are present in 12.3 version.

DE Server / Web Client Patches:

ESP Workload Automation DE and Web Client patches to address Log4j Vulnerability patched with log4j.2.16 jar version. 

Web Client (12.3.00.00-2321) – 99111317  --  https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111317&os=MULTI-PLATFORM

DE (dSeries) Server  – 99111315   --  https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111315&os=MULTI-PLATFORM

Web Client Patch is only for r12.3 version, other supported web client versions are not affected (Normal Cumulative patch).

DE (dSeries) Server Patch is for r12.1, r12.2, r12.3 supported DE versions. No need to shutdown the server. This has to be applied on Server, Standby and Standalone installation.

****Please note that the mitigation procedure is updated by Apache and as a result , we have updated the kb article - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE.  Please review it again for the new procedure.****

ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE

Please note that Agents are not shipping any version of log4j.

Added comments for Web Client as well -

We have reviewed the Web Client log4j during analyzing all the components and since we use SpringBoot component for it, according to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

"Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable. "

Since we are using default spring logging , so we are not affected by this even though the log4j2 jars are present in 12.3 version.