Solutions

SBM: SECURITY BULLETIN - CVE-2021-44228 and CVE-2021-45046 - RCE 0-day exploit found in Log4J



ID:    S143605
Published:    11 December 2021
Updated:    08 April 2022

Operating System(s)

  • All Windows

Product(s)

  • SBM
 

Description

CVE-2021-44228: A serious security issue affecting SBM, RCE 0-day exploit, has been found for log4j 2.0 – 2.14.1.  For further information on the vulnerability, you can follow the Apache Log4j site.  See the resolution below to eliminate the vulnerability in SBM.  This will be necessary for all versions of SBM including SBM 12.
 
log4j-1.2.17.jar: SBM uses Log4j2 for three files, but does also use log4j-1.2.17.jar.  There have been concerns about  the following 3 vulnerabilities with this jar: CVE-2021-44228, CVE-2019-17571 and CVE-2021-4104.  SBM is not vulnerable to recorded CVEs, but we recognize the concern with having the "unsupported" version of log4j 1.2.xx on the server.  We will replace this component in the October 2022 release of SBM.
 
CVE-2021-44228 Per Apache, Log4j 1.x is not impacted by this vulnerability.
CVE-2021-4104 This is mitigated by ensuring that there is NO JMSAppender configured.  SBM 11.x does not use the JMS Appender, thus, it is not affected by this vulnerability.  
CVE-2019-17571 is an with a Log4j server setup logging across servers.  SBM is not setup for this appender.
 
Additional  log4j-1.2.17 Mitigation: We can replace log4j-1.2.17.jar with the supported reload4j-1.2.18.jar.
 
 
UPDATE: Apache has found, and we have confirmed, CVE-2021-45046 and CVE-2021-45105.  We have determined that the best course of action is replace the Log4j with version 2.17.1.  This can be done without further updates to the SBM.

 

 

Resolution

Previous versions of this document had you modify the COMMON_CONFIG.BAT on every system running SBM Tomcat.  It is not necessary to back this out. 
Previously, also recommended removing the JndiLookup class from the log4j-core-*.jar file per CVE-2021-45046.  As you replace the log4j with version 2.17.1, this will undo what we did before.
 
We’ve now tested and confirmed that following versions of SBM (11.4.2 and 12.0) can be manually updated to log4j 2.17 using the following steps.  Versions likely can be updated with some customer reports of success on 11.8 and 11.7.1, but have not been officially tested yet.  If you find this does not work for your system, then return the original JAR files to their location and back out the changes.
 
Step A - Stop the services.
1. Stop the Tomcat service
2. Stop the IIS service
 
Step B - Log4J-2.x JAR - Mitigation.
1. Downloaded the latest log4j2 jars (at the moment 2.17.1):
 
Log4j 2.17.1 
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.17.1
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.17.1
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-jul/2.17.1
 
 
2. Open File Explorer and go to this directory: [SBM Install Dir]\Common\tomcat\lib
3. Remove old version log4j-core-2.XX.X.jar, log4j-api-2.XX.X.jar, log4j-jul-2.XX.X.jar
4. Copy the new files into this directory:  log4j-core-2.17.1.jar, log4j-api-2.17.1.jar, log4j-jul-2.17.1.jar
5. Updated bat files. With new version number.
 
C:\Program Files\Micro Focus\SBM\Common\tomcat\bin\run_in_console.bat
for %%x in (
  log4j-api-2.13.3.jar
  log4j-core-2.13.3.jar
  log4j-jul-2.13.3.jar
) do (
 
C:\Program Files\Micro Focus\SBM\Common\tomcat\bin\update_tomcat_config.bat.
for %%x in (
  log4j-api-2.13.3.jar
  log4j-core-2.13.3.jar
  log4j-jul-2.13.3.jar
) do (
 
6. Run update_tomcat_config.bat (run in admin mode)
 
 
Step C - Log4J-1.2.17.JAR - Mitigation.
1. Download the reload4j-1.2.18.1.jar  (the latest version for now):  https://mvnrepository.com/artifact/ch.qos.reload4j/reload4j/1.2.18.1
2. Replace vulnerable log4j-1.2.17.jar with reload4j-1.2.18.1.jar
 
Delete log4j-1.2.17.jar and copy reload4j-1.2.18.1.jar into each directory.
 
C:\Program Files\Serena\SBM\Application Engine\alfssojavabridge\alfssogatekeeper\lib
C:\Program Files\Serena\SBM\Common\Tomcat 7.0\server\default\webapps\idp\WEB-INF\lib
C:\Program Files\Serena\SBM\Common\Tomcat 7.0\lib
C:\Program Files\Serena\SBM\Manager\cmd\lib
 
3. Edit javabridge_config.xml
 
C:\Program Files\Serena\SBM\Application Engine\alfssojavabridge\javabridge_config.xml
 
from 
 <!-- log4j library & configuration file -->
<Entry>$/log4j-1.2.17.jar</Entry>
to 
<!-- log4j library & configuration file -->
<Entry>$/reload4j-1.2.18.1.jar</Entry>
 
4. Download: https://mvnrepository.com/artifact/org.slf4j/slf4j-reload4j/1.7.33
 
5. Replace SBM\Common\Tomcat 7.0\server\default\lib\slf4j-log4j12-1.7.30.jar (binding/provider for vulnerable log4j-1.2.17.jar) with slf4j-reload4j-1.7.33.jar (binding/provider for reload4j-1.2.18.1.jar).
 
6. Download: https://mvnrepository.com/artifact/org.slf4j/slf4j-api/1.7.33
 
7. Replace SBM\Common\Tomcat 7.0\server\default\lib\slf4j-api-1.7.30.jar with SBM\Common\Tomcat 7.0\server\default\lib\slf4j-api-1.7.33.jar.
 
  
Step D - Apply Changes
1.  Navigate to [SBM]\Common\tomcat\server\default\
2.  Delete the contents of the TEMP and WORK folders - DO NOT DELETE THE FOLDERS THEMSELVES
3.  Start your SBM Tomcat service and review console.log, server.log and tomcat.log for unusual errors. 
4.  Start the IIS service.
5. Clear cookies cache
 
  
Step E - Repeat 
1.  Repeat the above steps on each server.
 
 
Common Problems:
 
Below are some errors that customer have seen after applying the changes above.
 
Action Error Solution
Logging into Work Center
InitExtension Failed:
JNI Bridge configuration file element '' contains file or directory that does not exist: 'C:\Program Files\Serena\SBM\Application Engine\alfssojavabridge\alfssogatekeeper\lib\log4j-1.2.18.1.jar'
This error is caused by a mistake when editing the javabridge_config.xml file (step C3 above). Be sure to change the file name to be reload4j-1.2.18.1.jar
 Logging into the Repository

 Unable to reach server.

 http Error 404

This error is caused by a mistake when editing the javabridge_config.xml file (step C3 above). Be sure to change the file name to be reload4j-1.2.18.1.jar
 Email Notifications

 Email notifications are no longer sent to users

This problem was caused because the old files mentioned in Step C were removed, but the new files were not added. You should repeat Step C and Step D to resolve.

Applies To

SBM

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs