Description
CVE-2021-44228:
In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
CVE-2021-45046:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.
CVE-2021-45105 (DLO is not impacted by this vulnerability):
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
CVE-2021-44832 (DLO is not impacted by this vulnerability):
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
More information is available from the Apache Announcement. While this issue has been resolved in the Log4j 2.17.0, compatibility and installation of this version is still under investigation.
Currently, Veritas recommends applying the mitigation steps outlined below.
Issue
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
Severity: Critical
Base CVSS Score: 9.0
CVSS: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation. (DLO is not impacted by this vulnerability)
Severity: High
Base CVSS Score: 7.5
CVSS:7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. (DLO is not impacted by this vulnerability)
Severity: Moderate
Base CVSS Score: 6.6
CVSS: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Versions
Veritas Desktop and Laptop versions: 9.0 SP1, 9.1, 9.2, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.4, 9.5 and 9.6
For version details of the Apache, Tomcat and Log4j components used in DLO review - Apache, Tomcat and Log4j versions used in Desktop and Laptop Option (DLO)
Mitigation
Apply the following changes to address the vulnerabilities CVE-2021-44228 and CVE-2021-45046.
DLO is not impacted by CVE-2021-45105 and CVE-2021-44832 vulnerabilities.
----------------------------------------------------------------------------------------------------------------------------------------
For DLO 9.7 -
Vulnerabilities CVE-2021-44228 and CVE-2021-45046 are fixed in DLO 9.7 and DLO 9.7 setup can be downloaded using following Download Center link -
https://www.veritas.com/support/en_US/downloads/detail.REL948921
----------------------------------------------------------------------------------------------------------------------------------------
For DLO 9.6 -
Hotfix for DLO 9.6 is now released and can be downloaded using following Download Center link -
https://www.veritas.com/support/en_US/downloads/update.UPD761261
----------------------------------------------------------------------------------------------------------------------------------------
For DLO versions 9.0 SP1, 9.1, 9.2, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.4 and 9.5 -
The below steps are applicable for DLO versions 9.0 SP1, 9.1, 9.2, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.4 and 9.5.
Steps to be followed from the Windows computer:
- Navigate to the following path:
C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\WEB-INF\lib and search for "log4j-core-*.jar" file.
- To change the jar file to zip file, Press "Win+R" key and type "cmd" to launch command prompt.
Execute following command:rename log4j-core-*.jar log4j-core-*.zip
Now the jar file "log4j-core-*.jar" will be changed to zip file "log4j-core-*.zip"
- Extract the "log4j-core-*.zip" file to "log4j-core-*" folder.
Navigate to the extracted folder path: log4j-core-*\org\apache\logging\log4j\core\lookup and delete the "Jndilookup.class" file.
- In the extracted folder "log4j-core-*", select all the files, right-click and select send to Compressed (zipped) folder. Give a filename log4j-core-*.zip
Note: Replace (*) asterisk symbol with log4j-core version number, same as original zip name.
For example: For DLO 9.3.3 it should be "log4j-core-2.9.0.zip"
- To change the zip file to jar file, Press "Win+R" key and type "cmd" to launch command prompt.
Execute following command:rename log4j-core-*.zip log4j-core-*.jar
Now the zip file "log4j-core-*.zip" will be changed to jar file "log4j-core-*.jar"
- Copy this jar log4j-core-*.jar file and replace it in the below paths:
C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\WEB-INF\lib
&
C:\Program Files\Veritas\Veritas DLO\IOServer\Tomcat\webapps\DLOServer\WEB-INF\lib
- In DLO Server machine, Start the Windows services by pressing "Win+R" and type "services.msc".
The windows services will be launched.
Restart the below services:
- Veritas DLO Web Server
- Mindtree StoreSmart Dedupe Server
Steps to be followed from the Linux computer:
- Navigate to the following path:
C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\WEB-INF\lib
- Copy the "log4j-core-*.jar" file and paste it to the Linux machine, then run the following Linux command:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Now, copy the "log4j-core-*.jar" file from the Linux machine and replace it in the following DLO Server path:
C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\WEB-INF\lib
&
C:\Program Files\Veritas\Veritas DLO\IOServer\Tomcat\webapps\DLOServer\WEB-INF\lib
To prevent vulnerability scanners from flagging older files
1. Delete C:\Program Files\Veritas\Veritas DLO\Dedupe\DedupeServer_mssql.war and C:\Program files\Veritas\Veritas DLO\IOServer\DedupeServer.war
2. Extract files from this hotfix
3 Copy the DedupeServer.war file from the files extracted from this Hotfix into - C:\Program Files\Veritas\Veritas DLO\Dedupe
4. Rename Dedupserver.war to DedupeServer_mssql.war
5. Restart Mindtree StoreSmart Dedupe Server service
6. Delete the existing “DLOServer.war” file present in “C:\Program Files\Veritas\Veritas DLO\IOServer”
7. Copy “DLOServer.war” from the files extracted from this Hotfix into - “C:\Program Files\Veritas\Veritas DLO\IOServer”
8. Restart Veritas DLO Web Server service.
Note: In the above steps, file path may differ if DLO Server is installed in a custom path and also for files backed up in different path.
Questions
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Related Knowledge Base Articles
Related Downloads
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.