Solutions
PVCS Version Manager mitigation of 'log4j2' compromise - CVE-2021-44228
| ID: | S143608 | |
| Published: | 13 December 2021 | |
| Updated: | 11 April 2022 |
Operating System(s)
- All Unix
- All Windows
Product(s)
- PVCS Version Manager
Description
SUPPORT COMMUNICATION - SECURITY BULLETIN – PVCS Version Manager
Potential Security Impact: unintended code execution
VULNERABILITY SUMMARY
Security vulnerabilities were identified in the Apache log4j 2.x.x libraries used by the
certtool command of PVCS Version Manager. The vulnerabilities can be exploited via social engineering or other techniques whereby a PVCS VM user executes a malicious certtool command.AFFECTED SOFTWARE VERSIONS:
-
PVCS Version Manager 8.6.0
-
PVCS Version Manager 8.6.1
-
PVCS Version Manager 8.6.2
-
PVCS Version Manager 8.6.3
Notes:
-
Only the PVCS Version Manager releases listed above are affected by the log4j2 issue.
-
The log4j 1.2.17 library used by the PVCS Version Manager Web Application Server is NOT subject to this vulnerability. Additionally, the use of log4j 1.2.17 by PVCS Version Manager in not affected by CVE-2021-4104.
Resolution
A patch to resolve this issue (by replacing the affected files with log4j 2.17.1) is now available for PVCS Version Manager 8.6.3. The VM 8.6.3.2 patch is available from the product download pages
https://sld.microfocus.com/mysoftware/download/downloadCenter
For earlier PVCS Version Manager 8.6.x releases, please follow the steps below. Be warned that using older PVCS VM releases may expose you to other vulnerabilities that have since been resolved.
[Following the latest guidance from Apache, this article was updated to include log4j version 2.17.1]
The vulnerability can be mitigated by replacing the affected libraries with log4j 2.17.1 or newer. To do that, perform the following steps:
For Windows systems:
-
Go to the directory %PVCS_HOME%\common\libcerttool
(default for PVCS Version Manager: C:\Program Files\Micro Focus\vm\common\libcerttool)
-
Delete the files log4j-api-2.3.jar and log4j-core-2.3.jar
-
Copy the files log4j-api-2.17.1.jar and log4j-core-2.17.1.jar from the attached ZIP file into the directory.
-
Modify the file %PVCS_HOME%\common\bin\win64\certtool.bat
Replace the lines:
set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-api-2.3.jar;
set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-core-2.3.jar;
With:
set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-api-2.17.1.jar;
set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-core-2.17.1.jar;
As the updated files are not being used by the PVCS Version Manager Web Application Server (service) there is no need to restart that server, nor it there a need to reboot the machine.
For Linux/UNIX systems:
-
Go to the directory $PVCS_HOME/vm/common/libcerttool
(default for PVCS Version Manager: /usr/microfocus/vm/common/libcerttool)
-
Delete the files log4j-api-2.3.jar and log4j-core-2.3.jar
-
Copy the files log4j-api-2.17.1.jar and log4j-core-2.17.1.jar from the attached ZIP file into the directory.
-
Modify the file $PVCS_HOME/common/bin/linux/certtool
Replace the lines:
CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-api-2.3.jar
CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-core-2.3.jar
With:
CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-2.17.1.jar
CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-core-2.17.1.jar
As the updated files are not being used by the PVCS Version Manager Web Application Server there is no need to restart that server, nor it there a need to reboot the machine.
For the latest mitigation guidance, please refer to https://logging.apache.org/log4j/2.x/security.html
Attachment
| File Name | File Size | DownLoad |
|---|---|---|
| libcerttool.zip | 1.8MB | HTTP |
