Solutions
| ID: | S143606 | |
| Published: | 13 December 2021 | |
| Updated: | 04 February 2022 |
Operating System(s)
- All Windows
Product(s)
- Release Control
Description
Potential Security Impact: remote code execution
VULNERABILITY SUMMARY
A potential vulnerability has been identified in the Apache log4j library used by ALM Solutions Connector.
The vulnerability could be exploited to allow remote code execution.
CVE References: CVE-2021-45046 & CVE-2021-44228
SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):
ALM Solutions Connector – 6.2.2, 6.2.2.1, 6.2.3, 6.2.3.1, 6.2.4 (earlier versions of ALM Solutions Connector are not affected)
Note: Future releases for ALM Solutions Connector will include log4j 2.16 or newer.
CVSS Version 3.1 Metrics:
|
Reference
|
V3.1 Vector
|
V3.1 Base Score
|
|
CVE-2021-44228
|
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
10.0 CRITICAL
|
|
CVE-2021-45046
|
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
|
3.7 LOW
|
Resolution
UPDATE (4 Feb 2022):
A patch is being created that will contain Log4j version 2.17.1. where additional risks were addressed. As soon as the patch is available, this document will be updated with the details. Expected delivery is 11 Feb 2022.
UPDATE (23 Dec 2021):
ALM Solution Connector 6.2.4.1 has been released. This patch (PH_198243) contains Log4j version 2.17 where the CVE-2021-44228 and CVE-2021-45046 and CVE-2021-45105 were addressed. The patch can be downloaded from the SLD Download Center. If you install this patch, you DO NOT need to follow the mitigation steps below.
Mitigation (Last updated 16 Dec 2021):
The full Micro Focus statement on the Log4j Vulnerability is available on the Product Security Response Center.
A default installation of vulnerable versions of ALM Solutions Connector has one vulnerable library in following locations:
All affected versions:
\\webapps\almsernet\WEB-INF\lib\log4j-core-2.13.0.jar
\\webapps\almzmf\WEB-INF\lib\log4j-core-2.13.0.jar
\\webapps\almzmfalf\WEB-INF\lib\log4j-core-2.13.0.jar
Version 6.2.2 and 6.2.2.1 only:
\\webapps\almzmfws\WEB-INF\lib\log4j-core-2.13.0.jar
Version 6.2.3 and 6.2.3.1, 6.2.4 only:
\\webapps\zmfws\WEB-INF\lib\log4j-core-2.13.3.jar
To mitigate against this vulnerability on Windows systems:
- Open a Command Prompt as an Administrator, and go to the folder: (The exact location will depend on your installation directory.)
\\webapps\almsernet\WEB-INF\lib - Remove the JndiLookup class via the following command: (Be sure to use the correct file name in the zmfws folder.)
zip -q -d log4j-core-2.13.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class - To verify this has been successful, you can run the command: (Be sure to use the correct file name in the zmfws folder.)
unzip -vl log4j-core-2.13.0.jar | findstr -i jndilookup
Note: It should return no results. - Repeat the above steps for each folder: almzmf, almzmfalf and almzmfws / zmfws
- Restart the ‘Micro Focus Common Tomcat 8’ service for this change to take effect.
To mitigate against this vulnerability on Unix/Linux Systems:
- From a terminal window, go to the following directory: (The exact location will depend on your installation directory.)
//webapps/almsernet/WEB-INF/lib - Run the command: (Be sure to use the correct file name in the zmfws folder.)
zip -q -d log4j-core-2.13.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class - To verify this has been successful, run the command: (Be sure to use the correct file name in the zmfws folder.)
unzip -vl log4j-core-2.13.0.jar | grep -i jndilookup
Note: It should return no results. - Repeat the above steps for each folder: almzmf, almzmfalf and almzmfws / zmfws
- Tomcat must be restarted for this change to take effect.
IMPORTANT: If the ALM Solutions Connector web applications are re-deployed you will need to reapply these changes. For the latest mitigation guidance, please refer to https://logging.apache.org/log4j/2.x/security.html
