Solutions

SECURITY BULLETIN – ALM Solutions Connector CVE-2021-44228 and CVE-2021-45046 vulnerability CVE-2021-45105



ID:    S143606
Published:    13 December 2021
Updated:    04 February 2022

Operating System(s)

  • All Windows

Product(s)

  • Release Control
 

Description

Potential Security Impact: remote code execution

VULNERABILITY SUMMARY

A potential vulnerability has been identified in the Apache log4j library used by ALM Solutions Connector.

The vulnerability could be exploited to allow remote code execution.

CVE References: CVE-2021-45046 & CVE-2021-44228

SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):

ALM Solutions Connector – 6.2.2, 6.2.2.1, 6.2.3, 6.2.3.1, 6.2.4 (earlier versions of ALM Solutions Connector are not affected)

Note: Future releases for ALM Solutions Connector will include log4j 2.16 or newer.

CVSS Version 3.1 Metrics:

 

Reference
V3.1 Vector
V3.1 Base Score
CVE-2021-44228
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0 CRITICAL
CVE-2021-45046
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
3.7 LOW

 

Resolution

UPDATE (4 Feb 2022):

A patch is being created that will contain Log4j version 2.17.1. where additional risks were addressed. As soon as the patch is available, this document will be updated with the details. Expected delivery is 11 Feb 2022.

 

UPDATE (23 Dec 2021):

ALM Solution Connector 6.2.4.1 has been released. This patch (PH_198243) contains Log4j version 2.17 where the CVE-2021-44228 and CVE-2021-45046 and CVE-2021-45105 were addressed. The patch can be downloaded from the SLD Download Center. If you install this patch, you DO NOT need to follow the mitigation steps below.

 

Mitigation (Last updated 16 Dec 2021):

The full Micro Focus statement on the Log4j Vulnerability is available on the Product Security Response Center.

A default installation of vulnerable versions of ALM Solutions Connector has one vulnerable library in following locations:

All affected versions:

\\webapps\almsernet\WEB-INF\lib\log4j-core-2.13.0.jar
\\webapps\almzmf\WEB-INF\lib\log4j-core-2.13.0.jar
\\webapps\almzmfalf\WEB-INF\lib\log4j-core-2.13.0.jar

Version 6.2.2 and 6.2.2.1 only:

\\webapps\almzmfws\WEB-INF\lib\log4j-core-2.13.0.jar

Version 6.2.3 and 6.2.3.1, 6.2.4 only:

\\webapps\zmfws\WEB-INF\lib\log4j-core-2.13.3.jar


To mitigate against this vulnerability on Windows systems:

  1. Open a Command Prompt as an Administrator, and go to the folder: (The exact location will depend on your installation directory.)
    \\webapps\almsernet\WEB-INF\lib
  2. Remove the JndiLookup class via the following command: (Be sure to use the correct file name in the zmfws folder.)
    zip -q -d log4j-core-2.13.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  3. To verify this has been successful, you can run the command:  (Be sure to use the correct file name in the zmfws folder.)
    unzip -vl log4j-core-2.13.0.jar | findstr -i jndilookup
    Note: It should return no results.
  4. Repeat the above steps for each folder: almzmf, almzmfalf and almzmfws / zmfws
  5. Restart the ‘Micro Focus Common Tomcat 8’ service for this change to take effect.

To mitigate against this vulnerability on Unix/Linux Systems:

  1. From a terminal window, go to the following directory: (The exact location will depend on your installation directory.)  
    //webapps/almsernet/WEB-INF/lib
  2. Run the command:  (Be sure to use the correct file name in the zmfws folder.)
    zip -q -d log4j-core-2.13.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  3. To verify this has been successful, run the command:  (Be sure to use the correct file name in the zmfws folder.)
    unzip -vl log4j-core-2.13.0.jar | grep -i jndilookup
    Note: It should return no results.
  4. Repeat the above steps for each folder: almzmf, almzmfalf and almzmfws / zmfws
  5. Tomcat must be restarted for this change to take effect.

IMPORTANT: If the ALM Solutions Connector web applications are re-deployed you will need to reapply these changes. For the latest mitigation guidance, please refer to https://logging.apache.org/log4j/2.x/security.html


Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs