Solutions

SBM: SECURITY BULLETIN - CVE-2021-44228 and CVE-2021-45046 - RCE 0-day exploit found in Log4J
Your subscription to document S143605 will expire in 348 days (Renew).  To cancel this subscription, click Cancel Subscription above.



ID:    S143605
Published:    11 December 2021
Updated:    21 January 2022

Product(s)

  • SBM
 

Description

CVE-2021-44228: A serious security issue affecting SBM, RCE 0-day exploit, has been found for log4j 2.0 – 2.14.1.  For further information on the vulnerability, you can follow the Apache Log4j site.  See the resolution below to eliminate the vulnerability in SBM.  This will be necessary for all versions of SBM including SBM 12.
 
log4j-1.2.17.jar: SBM uses Log4j2 for three files, but does also use log4j-1.2.17.jar.  There have been concerns about  the following 3 vulnerabilities with this jar: CVE-2021-44228, CVE-2019-17571 and CVE-2021-4104.  SBM is not vulnerable to recorded CVEs, but we recognize the concern with having the "unsupported" version of log4j 1.2.xx on the server.  We will replace this component in the October 2022 release of SBM.
 
CVE-2021-44228 Per Apache, Log4j 1.x is not impacted by this vulnerability.
CVE-2021-4104 This is mitigated by ensuring that there is NO JMSAppender configured.  SBM 11.x does not use the JMS Appender, thus, it is not affected by this vulnerability.  
CVE-2019-17571 is an with a Log4j server setup logging across servers.  SBM is not setup for this appender.
 
Additional  log4j-1.2.17 Mitigation: We can replace log4j-1.2.17.jar with the supported reload4j-1.2.18.jar.
 
 
UPDATE: Apache has found, and we have confirmed, CVE-2021-45046 and CVE-2021-45105.  We have determined that the best course of action is replace the Log4j with version 2.17.1.  This can be done without further updates to the SBM.

 

 

Resolution

Previous versions of this document had you modify the COMMON_CONFIG.BAT on every system running SBM Tomcat.  It is not necessary to back this out. 
Previously, also recommended removing the JndiLookup class from the log4j-core-*.jar file per CVE-2021-45046.  As you replace the log4j with version 2.17.1, this will undo what we did before.
 
We’ve now tested and confirmed that following versions of SBM (11.4.2 and 12.0) can be manually updated to log4j 2.17 using the following steps.  Versions likely can be updated with some customer reports of success on 11.8 and 11.7.1, but have not been officially tested yet.  If you find this does not work for your system, then return the original JAR files to their location and back out the changes.
 
1. Stop Tomcat services 
2. Downloaded the latest log4j2 jars (at the moment 2.17.1):
 
Log4j 2.17.1 
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.17.1
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.17.1
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-jul/2.17.1
 
 
3. Open File Explorer and go to this directory: [SBM Install Dir]\Common\tomcat\lib
4. Remove old version log4j-core-2.XX.X.jar, log4j-api-2.XX.X.jar, log4j-jul-2.XX.X.jar
5. Copy the new files into this directory:  log4j-core-2.17.1.jar, log4j-api-2.17.1.jar, log4j-jul-2.17.1.jar
6. Updated bat files. With new version number.
 
C:\Program Files\Micro Focus\SBM\Common\tomcat\bin\run_in_console.bat
for %%x in (
  log4j-api-2.13.3.jar
  log4j-core-2.13.3.jar
  log4j-jul-2.13.3.jar
) do (
 
C:\Program Files\Micro Focus\SBM\Common\tomcat\bin\update_tomcat_config.bat.
for %%x in (
  log4j-api-2.13.3.jar
  log4j-core-2.13.3.jar
  log4j-jul-2.13.3.jar
) do (
 
7. Run update_tomcat_config.bat (run in admin mode)
8. Start Tomcat
 
 
Log4J-1.2.17.JAR - Mitigation.
1. Stop all services 
2. Download the reload4j-1.2.18.1.jar  (the latest version for now):  https://mvnrepository.com/artifact/ch.qos.reload4j/reload4j/1.2.18.1
3. Replace vulnerable log4j-1.2.17.jar with reload4j-1.2.18.1.jar
 
Delete log4j-1.2.17.jar and copy reload4j-1.2.18.1.jar into each directory.
 
C:\Program Files\Serena\SBM\Application Engine\alfssojavabridge\alfssogatekeeper\lib
C:\Program Files\Serena\SBM\Common\Tomcat 7.0\server\default\webapps\idp\WEB-INF\lib
C:\Program Files\Serena\SBM\Common\Tomcat 7.0\lib
C:\Program Files\Serena\SBM\Manager\cmd\lib
 
4. Edit javabridge_config.xml
 
C:\Program Files\Serena\SBM\Application Engine\alfssojavabridge\javabridge_config.xml
 
from 
 <!-- log4j library & configuration file -->
<Entry>$/log4j-1.2.17.jar</Entry>
to 
<!-- log4j library & configuration file -->
<Entry>$/reload4j-1.2.18.1.jar</Entry>
 
5. Download: https://mvnrepository.com/artifact/org.slf4j/slf4j-reload4j/1.7.33
 
6. Replace SBM\Common\Tomcat 7.0\server\default\lib\slf4j-log4j12-1.7.30.jar (binding/provider for vulnerable log4j-1.2.17.jar) with slf4j-reload4j-1.7.33.jar (binding/provider for reload4j-1.2.18.1.jar).
 
7. Download: https://mvnrepository.com/artifact/org.slf4j/slf4j-api/1.7.33
 
8. Replace SBM\Common\Tomcat 7.0\server\default\lib\slf4j-api-1.7.30.jar with SBM\Common\Tomcat 7.0\server\default\lib\slf4j-api-1.7.33.jar.
9. Start all services
10.  Navigate to [SBM]\Common\tomcat\server\default\
11.  Delete the contents of the TEMP and WORK folders - DO NOT DELETE THE FOLDERS THEMSELVES
12.  Start your SBM Tomcat service and review console.log, server.log and tomcat.log for unusual errors. 
13.  Repeat steps 1 - 12 for each SBM Tomcat server.
14. Clear cookies cache
 

Applies To

SBM

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs