Solutions

PVCS Version Manager mitigation of 'log4j2' compromise - CVE-2021-44228



ID:    S143608
Published:    13 December 2021
Updated:    11 April 2022

Operating System(s)

  • All Unix
  • All Windows

Product(s)

  • PVCS Version Manager
 

Description

SUPPORT COMMUNICATION - SECURITY BULLETIN – PVCS Version Manager
Potential Security Impact: unintended code execution
 
VULNERABILITY SUMMARY
Security vulnerabilities were identified in the Apache log4j 2.x.x libraries used by the certtool command of PVCS Version Manager. The vulnerabilities can be exploited via social engineering or other techniques whereby a PVCS VM user executes a malicious certtool command.
 
 
AFFECTED SOFTWARE VERSIONS: 
  • PVCS Version Manager 8.6.0
  • PVCS Version Manager 8.6.1
  • PVCS Version Manager 8.6.2
  • PVCS Version Manager 8.6.3 

Notes:
 

 

Resolution

A patch to resolve this issue (by replacing the affected files with log4j 2.17.1) is now available for PVCS Version Manager 8.6.3. The VM 8.6.3.2 patch is available from the product download pages:

https://sld.microfocus.com/mysoftware/download/downloadCenter

For earlier PVCS Version Manager 8.6.x releases, please follow the steps below. Be warned that using older PVCS VM releases may expose you to other vulnerabilities that have since been resolved.


[Following the latest guidance from Apache, this article was updated to include log4j version 2.17.1]
 
The vulnerability can be mitigated by replacing the affected libraries with log4j 2.17.1 or newer. To do that, perform the following steps:
 
For Windows systems:
  1. Go to the directory %PVCS_HOME%\common\libcerttool

    (default for PVCS Version Manager: C:\Program Files\Micro Focus\vm\common\libcerttool)
     
  2. Delete the files log4j-api-2.3.jar and log4j-core-2.3.jar
     
  3. Copy the files log4j-api-2.17.1.jar and log4j-core-2.17.1.jar from the attached ZIP file into the directory.
     
  4. Modify the file %PVCS_HOME%\common\bin\win64\certtool.bat

    Replace the lines:
     
    set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-api-2.3.jar;
    set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-core-2.3.jar;


    With:

    set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-api-2.17.1.jar;
    set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-core-2.17.1.jar;

    As the updated files are not being used by the PVCS Version Manager Web Application Server (service) there is no need to restart that server, nor it there a need to reboot the machine.
 
For Linux/UNIX systems:
  1. Go to the directory $PVCS_HOME/vm/common/libcerttool

    (default for PVCS Version Manager: /usr/microfocus/vm/common/libcerttool)
     
  2. Delete the files log4j-api-2.3.jar and log4j-core-2.3.jar
     
  3. Copy the files log4j-api-2.17.1.jar and log4j-core-2.17.1.jar from the attached ZIP file into the directory.
     
  4. Modify the file $PVCS_HOME/common/bin/linux/certtool

    Replace the lines:

    CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-api-2.3.jar
    CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-core-2.3.jar


    With:

    CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-2.17.1.jar
    CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-core-2.17.1.jar

    As the updated files are not being used by the PVCS Version Manager Web Application Server there is no need to restart that server, nor it there a need to reboot the machine.

For the latest mitigation guidance, please refer to https://logging.apache.org/log4j/2.x/security.html

 

Attachment

File NameFile SizeDownLoad
libcerttool.zip 1.8MB HTTP

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs