ESP dSeries Workload Automation

 View Only
  • 1.  dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Broadcom Employee
    Posted Dec 13, 2021 12:30 AM
    Edited by Ravi Kiran Kunduri Dec 17, 2021 01:01 AM

    ****Please note that the mitigation procedure is updated by Apache and as a result , we have updated the kb article - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE.  Please review it again for the new procedure.****



    ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache.  CVE identifier CVE-2021-44228 has been assigned to this vulnerability.  This is a Critical vulnerability, and exploit code is in the wild.  The Log4j team has addressed the vulnerability in Log4j 2.15.0. 

    Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1

    CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

    Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article  - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE


    Please note that Agents are not shipping any version of log4j.

    Added comments for Web Client as well -

    We have reviewed the Web Client log4j during analyzing all the components and since we use SpringBoot component for it, according to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

    “Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable. “

     

     

    Since we are using default spring logging , so we are not affected by this even though the log4j2 jars are present in 12.3 version.



  • 2.  RE: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Posted Dec 15, 2021 09:31 AM
    Is there any update on Web Client DE? Our security admin is saying it is potentially affected.


  • 3.  RE: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Broadcom Employee
    Posted Dec 16, 2021 08:21 AM
    The DE Web Client is not affected, it is using older version, log4j-1.2.15.  See the CVE link for more details.


    Nitin Pande

    ------------------------------
    Support
    Broadcom
    Toronto
    ------------------------------



  • 4.  RE: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Posted Dec 16, 2021 11:18 AM
    Hi Nitin,
    Sorry for bodering you, but do you know if previous versions of CAWA like 11.3 are also in risk for this vulnerability?

    Thanks,
    Isaac


  • 5.  RE: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Broadcom Employee
    Posted Dec 16, 2021 11:40 AM
    DE version 11.3 is not affected.

    HTH,
    Nitin Pande

    ------------------------------
    Support
    Broadcom
    Toronto
    ------------------------------



  • 6.  RE: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Posted Dec 16, 2021 01:11 PM
    Thanks a lot for your help.

    Regards,
    Isaac


  • 7.  RE: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Broadcom Employee
    Posted Dec 24, 2021 01:52 AM
    Product team has come up with the following patches that are updated in the kb article - https://knowledge.broadcom.com/external/article/230329/cve202144228-log4j-vulnerability-and-es.html which will update the log4j2.x version to log4j 2.16.

    DE Server / Web Client Patches:

    ESP Workload Automation DE and Web Client patches to address Log4j Vulnerability patched with log4j.2.16 jar version. 

    Web Client (12.3.00.00-2321) – 99111317  --  https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111317&os=MULTI-PLATFORM

    DE (dSeries) Server  – 99111315   --  https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111315&os=MULTI-PLATFORM

    Web Client Patch is only for r12.3 version, other supported web client versions are not affected (Normal Cumulative patch).

    DE (dSeries) Server Patch is for r12.1, r12.2, r12.3 supported DE versions. No need to shutdown the server. This has to be applied on Server, Standby and Standalone installation.




  • 8.  RE: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Posted Jan 03, 2022 08:13 PM
    I downloaded and applied the patch to my servers for dseries 12.2 Server but now the security team at my company is saying that 2.16 still has vulnerability and want to know when we can update to 2.17.   Is there a plan for your Product Team to create a patch to update the log4j2.x version to log4j 2.17?  And, if so is there a release date?    I need to communicate this to my security team as quickly as possible.   Thanks


  • 9.  RE: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

    Broadcom Employee
    Posted Jan 04, 2022 11:38 PM
    Hi,

    The Product team have analyzed the vulnerability fixed in 2.17 version and we see we are not affected by it. So 2.16 version which contains the fix for zero day vulnerability should be good enough.

    Hope it helps!
    Ravi Kiran