Impact of Apache Log4j Vulnerabilities on Veritas Desktop and Laptop Option (DLO)

Impact of Apache Log4j Vulnerabilities on Veritas Desktop and Laptop Option (DLO)

Article: 100052093
Last Published: 2022-01-07
Ratings: 0 0
Product(s): Desktop Laptop Option

Description

CVE-2021-44228:
In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

CVE-2021-45046:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.

CVE-2021-45105 (DLO is not impacted by this vulnerability):
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

CVE-2021-44832 (DLO is not impacted by this vulnerability):

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

More information is available from the Apache Announcement. While this issue has been resolved in the Log4j 2.17.0, compatibility and installation of this version is still under investigation.


Currently, Veritas recommends applying the mitigation steps outlined below.

 

Issue

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
Severity: Critical
Base CVSS Score: 9.0
CVSS: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation. (DLO is not impacted by this vulnerability)
Severity: High
Base CVSS Score: 7.5
CVSS:7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. (DLO is not impacted by this vulnerability)
Severity: Moderate
Base CVSS Score: 6.6
CVSS: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Versions

Veritas Desktop and Laptop versions: 9.0 SP1, 9.1, 9.2, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.4, 9.5 and 9.6

Mitigation

Apply the following changes to address the vulnerabilities CVE-2021-44228 and CVE-2021-45046

DLO is not impacted by CVE-2021-45105 and CVE-2021-44832 vulnerabilities.

Fix for DLO 9.6 is now released and can be downloaded using following Download Center link - 

https://www.veritas.com/content/support/en_US/downloads/update.UPD761261

 

The below steps are applicable for DLO versions 9.0 SP1, 9.1, 9.2, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.4 and 9.5.

 

Steps to be followed from the Windows computer:

 

  • Navigate to the following path:

C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\WEB-INF\lib and search for "log4j-core-*.jar" file.

  • To change the jar file to zip file, Press "Win+R" key and type "cmd" to launch command prompt.

Execute following command:
rename log4j-core-*.jar log4j-core-*.zip

Now the jar file "log4j-core-*.jar" will be changed to zip file "log4j-core-*.zip"

  • Extract the "log4j-core-*.zip" file to "log4j-core-*" folder.

Navigate to the extracted folder path: log4j-core-*\org\apache\logging\log4j\core\lookup and delete the "Jndilookup.class" file.

  • In the extracted folder "log4j-core-*", select all the files, right-click and select send to Compressed (zipped) folder. Give a filename log4j-core-*.zip

Note: Replace (*) asterisk symbol with log4j-core version number, same as original zip name.
For example: For DLO 9.3.3 it should be "log4j-core-2.9.0.zip"

  • To change the zip file to jar file, Press "Win+R" key and type "cmd" to launch command prompt.

Execute following command:
rename log4j-core-*.zip log4j-core-*.jar

Now the zip file "log4j-core-*.zip" will be changed to jar file "log4j-core-*.jar"

  • Copy this jar log4j-core-*.jar file and replace it in the below paths:

C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\WEB-INF\lib
&
C:\Program Files\Veritas\Veritas DLO\IOServer\Tomcat\webapps\DLOServer\WEB-INF\lib

  • In DLO Server machine, Start the Windows services by pressing "Win+R" and type "services.msc".

The windows services will be launched.

Restart the below services:

  • Veritas DLO Web Server
  • Mindtree StoreSmart Dedupe Server

 

Steps to be followed from the Linux computer:

 

  • Navigate to the following path:

C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\WEB-INF\lib

  • Copy the "log4j-core-*.jar" file and paste it to the Linux machine, then run the following Linux command:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  • Now, copy the "log4j-core-*.jar" file from the Linux machine and replace it in the following DLO Server path:

C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\WEB-INF\lib
&
C:\Program Files\Veritas\Veritas DLO\IOServer\Tomcat\webapps\DLOServer\WEB-INF\lib

 

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

 

 

Related Downloads

Was this content helpful?