Impact of CVE-2021-44228 Apache Log4j Vulnerability on InfoScale

Impact of CVE-2021-44228 Apache Log4j Vulnerability on InfoScale

Article: 100052064
Last Published: 2022-01-19
Ratings: 19 3
Product(s): InfoScale & Storage Foundation

About Apache Log4j Vulnerabilities

Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. The Apache Software Foundation has released few security advisories to address remote code execution vulnerabilities  affecting Log4j versions 2.0-beta9 to 2.16. A remote attacker could exploit this vulnerability to take control of an affected system. 

More information is available from the Apache Announcement and recommends upgrading to the latest Log4j  or applying recommended mitigations immediately.

Issues


CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Base CVSS Score        7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Versions Affected:  All versions from 2.0-beta9 to 2.16.0

CVE-2021-4104 (JMSAppender) : JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.

CVE-2021-44832 :  Infoscale and VIOM patches were released with  2.17.1. Links updated below. 

CVE-2019-17571:  Included in Log4j 1.2 is a Socket Server class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS Base Score: 9.8 (Critical Severity)

Note1: 
The below mentioned mitigation steps and HF are released considering both vulnerabilities CVE-2021-45046 & CVE-2021-44228.

Note2:
CVE-2021-45105 is not exploitable in InfoScale Licensing Service and Veritas InfoScale Operations Manager – Management Server.

Note3: 
Windows MHs were impacted with these vulnerabilities CVE-2021-4104 &  CVE-2019-17571. Permanent fix included in the below table.

 

Affected Versions

Veritas is aware of this recently announced zero-day vulnerability and both Product Security and Development teams are actively reviewing our software to determine if the vulnerability exists in any of our products. 


If we determine a particular product is impacted by the issue, Veritas will provide temporary mitigation guidance while we work to quickly provide a patch to permanently address the issue.  This is an urgent issue, and we are working aggressively to help keep our customers secure.  We will provide updates and guidance as soon as possible
 

Product / Component

Version

Mitigation Steps

Permanent Fix

Veritas InfoScale Operations Manager – Management Server

7.3.1 and lower (Linux)

Veritas strongly recommends customers upgrade to Veritas InfoScale Operations Manager 7.4.2 or the latest release in order to be able to perform the mitigation steps provided below.

https://www.veritas.com/content/support/en_US/downloads/update.UPD329228

 

Note 1: VIOM Management Servers first need to be upgraded to 7.4.2.500 prior to applying this patch, otherwise future upgrades will overwrite this hotfix.

Note 2 : The VIOM agent for InfoScale 8.0 on Windows currently uses log4j version 2.14, therefore this patch is required regardless of whether the host itself is registered with a VIOM management server or not.

 

Veritas InfoScale Operations Manager – Management Server

7.3.1 and lower(Windows)

Veritas strongly recommends customers upgrade to Veritas InfoScale Operations Manager 7.4.2 or the latest release. 

Veritas InfoScale Operations Manager – Management Server

7.4 (Linux)

Perform the mitigation steps provided below only if cmsCollector.jar is present at the following location

# ls -l /opt/VRTSsfmcs/webgui/vom/WEB-INF/lib/cmsCollector.jar

Veritas InfoScale Operations Manager – Management Server 7.4.2, 8.0 (Linux) Follow Mitigation steps. 
Veritas InfoScale Operations Manager – Management Server

7.4, 7.4.2, 8.0

(Windows)

Please stop the cmsCollector on every reboot.

%ProgramFiles%\Veritas\VRTSsfmcs\bin\cmsCollector.exe -tcstop

Veritas InfoScale Operations Manager – Management Server 7.0 -> 8.0 ( Windows VIOM Agent (Managed Hosts ) No mitigation steps.

https://www.veritas.com/content/support/en_US/downloads/update.UPD329228

Note :

Install the hotfix on Windows InfoScale servers even though they are not reporting to VIOM Management Servers

 OR

Remove the directory C:\Program Files\Veritas\VRTSsfmh\lib\jars\vmf. VIOM MH works as expected and no need to install the VIOM hotfix. 

Veritas InfoScale Operations Manager – Management Server

7.0 and earlier

Windows VIOM Agent (Managed Hosts )
No mitigation steps.

1) Upgrade to the latest VIOM Agent ( 7.4.2.500)

2) Install the hotfix

https://www.veritas.com/content/support/en_US/downloads/update.UPD329228

OR

 Remove the “C:\Program Files\Veritas\VRTSsfmh\lib\jars\vmf.” Folder.

Infoscale Licensing Service

8.0

N/A. Not using java.
Infoscale Licensing Service 8.0 Containers (Kubernetes / OpenShift )

No mitigation steps. 

    
 If InfoScale version 8.0  is already deployed, then remove it and perform fresh deployment of InfoScale version 8.0.1. 

1. For OpenShift clusters with internet connectivity, install InfoScale Operator Bundle 8.0.2 from Red Hat catalog(Operator Hub).  

Latest InfoScale Operator Bundle (8.0.2) is available at the below location. https://catalog.redhat.com/software/containers/veritas-technologies/infoscale-operator-bundle/6141da20d23dceab2969508b

2. For OpenShift clusters with restricted network environment and for Kubernetes, InfoScale image and YAML tarballs are available in Veritas Download Center.

https://www.veritas.com/content/support/en_US/downloads/update.UPD655095
 

InfoScale Licensing Service

7.4.3

Perform the mitigation steps provided below 

Fix details included below the mitigation steps.

 

Note :  For 6.2 --> 7.4 (Linux/Unix) , For 7.0 -> 7.4 (Windows) install the Hot Fix only if UIS licensing service deployed  by specifically installing the sig_licensing update.

This can be verified in the systems  by checking the presence of the file. 

Linux/Unix:

/opt/VRTSvlic/tele/bin/TelemetryCollector.jar  

Windows:

Go to InfoScale-Installation directory

Example- C:\Program Files\Veritas\Veritas Shared\VPI\{F834E070-8D71-4c4b-B688-06964B88F3E8}\{7.4.20000.1}\tele\TelemetryCollector.jar

Note : {F834E070-8D71-4c4b-B688-06964B88F3E8}\{7.4.00000.1} – This could be different on InfoScale Node w.r.t. host and InfoScale version.

InfoScale Licensing Service

7.4.1 & 7.4.2

 

Recommendation is to upgrade to the Latest VRTSvlic patch (Python based Collector) for Linux and for Windows sig_licensing-WIN-Patch (Python based Collector) for permanent Solution.

or

Follow the mitigation steps as a temporary workaround.

InfoScale Licensing Service

6.2 - > 7.4

(Linux/Unix)

These versions are vulnerable only if UIS licensing service  is deployed by specifically installing the sig_licensing update.

This can be verified in the systems  by checking this file.

Linux/Unix:

/opt/VRTSvlic/tele/bin/TelemetryCollector.jar  

In case files are available, Stop the “TelemetryCollector”  as mentioned in the mitigation steps.

InfoScale Licensing Service 7.0 ->  7.4 (Windows)

These versions are vulnerable only if UIS licensing service  is deployed by specifically installing the sig_licensing update.

This can be verified in the systems  by checking this file.

Windows:

Go to InfoScale-Installation directory

Example- C:\Program Files\Veritas\Veritas Shared\VPI\{F834E070-8D71-4c4b-B688-06964B88F3E8}\{7.4.20000.1}\tele\TelemetryCollector.jar

Note : {F834E070-8D71-4c4b-B688-06964B88F3E8}\{7.4.00000.1} – This could be different on InfoScale Node w.r.t. host and InfoScale version.

In case files are available, Stop the “TelemetryCollector”  as mentioned in the mitigation steps.

Storage Foundation Licensing Service

6.1 and earlier

(Linux/Unix). 

N/A. Not using java.  
Storage Foundation Licensing Service 7.4.3 , 6.1 and earlier (Windows) Not impacted.  

Veritas Management Console( Java GUI )

Veritas Enterprise Administrator (VEA)

All Versions These tools do not use Log4j, so not exposed .  

 

 

*** This KB article covers mitigation steps for products/components identified in the above table ***

Please revisit this document for any changes as we continue our investigation

 

When making changes recommended below, please see the following notes.

 

NOTE 1 : JAVA GUI and VEA are not using Log4j so not exposed

NOTE 2 : For VIOM Management HA-DR  servers, ensure the mitigation steps should be completed on all active and inactive nodes of the cluster. 

 

Mitigation steps for Veritas InfoScale Management Primary server

 

Mitigation for Veritas InfoScale Operations Manager (VIOM) 7.4, 7.4.2 and 8.0 - Linux

 1) Login into the VIOM Management Server as an Admin/root user. 

 2) Stop VIOM web server.

   # /opt/VRTSsfmcs/bin/vomsc --stop web

3) Update JndiLookup java class in /opt/VRTSsfmcs/webgui/tomcat/lib/log4j-core.jar file.

# for log4jcore in `find /opt/VRTSsfmcs -name \*log4j\*core\*.jar 2> /dev/null`;do echo “$log4jcore”; zip -q -d $log4jcore org/apache/logging/log4j/core/lookup/JndiLookup.class;done

Note : zip software required to run the above command.

Example Output:
   /opt/VRTSsfmcs/webgui/tomcat/lib/log4j-core.jar

4) Start web service.
 # /opt/VRTSsfmcs/bin/vomsc --start web

5) Stop cmsCollector service .
 # /opt/VRTSsfmcs/bin/cmsCollector -tcstop

6) Verify cmsCollector status.
 # /opt/VRTSsfmcs/bin/cmsCollector -status

 

Note 1 : Step 5 & 6 need to be done for every reboot.

Note 2 : Ignore the “Either cmsCollector process is not running or valid license key is not installed for this Management Server.” fault in VIOM Management Console. 

 

Mitigation steps for Veritas InfoScale Licensing Service

 

Linux, UNIX Platforms (All affected versions):

Stop the Telemetry Collector. You need to perform this step after every system reboot.

    # /opt/VRTSvlic/tele/bin/TelemetryCollector -tcstop

    # /opt/VRTSvlic/tele/bin/TelemetryCollector -status ( should be stopped )

 
Windows Platform (All affected versions):

Stop the Telemetry Collector process. You need to perform this step after every system reboot.

Go to InfoScale installation directory

Example- C:\Program Files\Veritas\Veritas Shared\VPI\{F834E070-8D71-4c4b-B688-06964B88F3E8}\{7.4.20000.1}\

Note : {F834E070-8D71-4c4b-B688-06964B88F3E8}\{7.4.20000.1} – This could be different on InfoScale Node w.r.t. host and InfoScale version.

1. Open command prompt and go to above mentioned path

2. run - TelemetryCollector.exe -tcstop

Ignore the “TelemetryCollector process is not running on this host” fault in VIOM Management Console if InfoScale server is reporting to VIOM Management Server.

 

Permanent Fix for Veritas InfoScale Licensing Service

 

Links to permanent fix (replaced Java with Python for InfoScale)

Windows (7.4.2):
sig_licensing-WIN-Patch-7.4.2.300: https://www.veritas.com/content/support/en_US/downloads/update.UPD321727.html                                                                                       

RHEL (7.4.2):
RHEL7 7.4.2 U3: https://www.veritas.com/content/support/en_US/downloads/update.UPD248334.html
RHEL8 7.4.2 U3: https://www.veritas.com/content/support/en_US/downloads/update.UPD251267

SLES12 (7.4.2):
7.4.2 U3: https://www.veritas.com/content/support/en_US/downloads/update.UPD966604

SLES15  (7.4.2) : Includes SLES 15 SP3 support
7.4.2  : https://www.veritas.com/content/support/en_US/downloads/update.UPD772018

Solaris (7.4.2):
SPARC infoscale-sol11_sparc-Patch-7.4.2.1200: https://www.veritas.com/content/support/en_US/downloads/update.UPD553948
X64 infoscale-sol11_x64-Patch-7.4.2.1200: https://www.veritas.com/content/support/en_US/downloads/update.UPD584298

AIX (7.4.2):
infoscale-aix-Patch-7.4.2.1200: https://www.veritas.com/content/support/en_US/downloads/update.UPD800834

Note : 

1) All Above Permanent fixes for Linux/Unix environments requires Downtime.

2)  For Linux/Unix, use CPI  patch for  7.4.2 Update 3 as well as for the P patches mentioned above.
https://www.veritas.com/content/support/en_US/downloads/update.UPD298738

 

Patches for all platforms for 7.4.1 can be downloaded from the below locations:

Windows (7.4.1):

sig_licensing-WIN-Patch-7.4.1.300: https://www.veritas.com/content/support/en_US/downloads/update.UPD469608

RHEL (7.4.1):
RHEL6 7.4.1 U6: https://www.veritas.com/content/support/en_US/downloads/update.UPD605225
RHEL7 7.4.1 U6: https://www.veritas.com/content/support/en_US/downloads/update.UPD691569
RHEL8 7.4.1 U6: https://www.veritas.com/content/support/en_US/downloads/update.UPD474669

SLES (7.4.1):
SLES12 7.4.1 U6: https://www.veritas.com/content/support/en_US/downloads/update.UPD365798
SLES15 7.4.1 U6: https://www.veritas.com/content/support/en_US/downloads/update.UPD666944

Solaris (7.4.1):
SPARC Solaris 11 7.4.1 U6 : https://www.veritas.com/content/support/en_US/downloads/update.UPD202244
X86 Solaris 11 7.4.1 U6:   https://www.veritas.com/content/support/en_US/downloads/update.UPD982913

AIX (7.4.1)
AIX 7.4.1 U6: https://www.veritas.com/content/support/en_US/downloads/update.UPD511843

SLES 11 (7.4.1) is not included in 7.4.1 update 6 , so Licensing patch released as component patch as below.
https://www.veritas.com/content/support/en_US/downloads/update.UPD518518

Note

1)  All Above Permanent fixes for Linux/Unix environments requires Downtime.

2)  For Linux/Unix, use CPI  patch for  7.4.1 Update 6 as well as for the P patches mentioned above.

https://www.veritas.com/content/support/en_US/downloads/update.UPD715008

 

Hot fix for Veritas InfoScale Licensing Service

 

For InfoScale 7.4 to 7.4.3 (sig_licensing-log4j-2.17.1-HF-7.4-to-7.4.3)

Supported Operating Systems: RHEL6/7/8  x86-64, SLES11/12/15  x86-64 ,Solaris 11 SPARC, Solaris 11 x86 ,  AIX
https://www.veritas.com/content/support/en_US/downloads/update.UPD838718

For InfoScale 7.0 to 7.3.1 (sig_licensing-log4j-2.17.1-HF-7.0-to-7.3.1)

Supported Operating Systems:  RHEL6/7 x86-64 , SLES11/12  x86-64  , Solaris 11 SPARC , Solaris 11 x86 , AIX
https://www.veritas.com/content/support/en_US/downloads/update.UPD211523

For SF 6.2 to 6.2.1 (sig_licensing-log4j-2.17.1-HF-6.2-to-6.2.1 )

Supported Operating Systems:  RHEL6/7 x86-64 , SLES11/12  x86-64 ,  Solaris 11 SPARC , AIX

https://www.veritas.com/content/support/en_US/downloads/update.UPD864693

For Infoscale 7.0 to 7.4.2  Windows  (InfoScale_sig_licensing_log4j-2.17.1_7.0_to_7.4.2_HF )

Supported Operating Systems:  Windows 2012,2016 and 2019 Servers

https://www.veritas.com/content/support/en_US/downloads/update.UPD190323

 

Note :  Downtime not required for "Veritas Infoscale Licensing Service" HotFix.

 

Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Was this content helpful?