Solutions

PVCS Version Manager mitigation of 'log4j2' compromise - CVE-2021-44228
Your subscription to document S143608 will expire in 341 days (Renew).  To cancel this subscription, click Cancel Subscription above.



ID:    S143608
Published:    13 December 2021
Updated:    04 January 2022

Operating System(s)

  • All Unix
  • All Windows

Product(s)

  • PVCS Version Manager
 

Description

SUPPORT COMMUNICATION - SECURITY BULLETIN – PVCS Version Manager
Potential Security Impact: unintended code execution
 
VULNERABILITY SUMMARY
Security vulnerabilities were identified in the Apache log4j 2.x.x libraries used by the certtool command of PVCS Version Manager. The vulnerabilities can be exploited via social engineering or other techniques whereby a PVCS VM user executes a malicious certtool command.
 
CVE References: CVE-2021-44228 & CVE-2021-45046
 

CVSS Version 3.1 Metrics:

Reference

V3.1 Vector

V3.1 Base Score

CVE-2021-44228

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10.0
CRITICAL

CVE-2021-45046

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

3.7
LOW


(The V3.1 Base Score values reflect the general log4j2 issue reported in the CVE, not its impact on PVCS Version Manager)

 
AFFECTED SOFTWARE VERSIONS: 
  • PVCS Version Manager 8.6.0
  • PVCS Version Manager 8.6.1
  • PVCS Version Manager 8.6.2
  • PVCS Version Manager 8.6.3 

Notes:
 
  • Only the PVCS Version Manager releases listed above are affected by the log4j2 issue.
  • Versions 1.x.x of the log4j libraries, like log4j-1.2.17.jar used by the PVCS Version Manager Web Application Server, are NOT subject to this vulnerability.

 

Resolution

A patch to resolve this issue and to include an updated version of log4j 2.x is now available for PVCS Version Manager 8.6.3 from the product download pages

https://sld.microfocus.com/mysoftware/download/downloadCenter

 

For earlier PVCS Version Manager 8.6.x releases please follow the steps below

 

[Following the latest guidance from Apache, this article was updated to include log4j version 2.17.0]
 
The vulnerability can be mitigated by replacing the affected libraries with log4j 2.17.0 or newer. To do that, perform the following steps:
 
For Windows systems:
  1. Go to the directory %PVCS_HOME%\common\libcerttool

    (default for PVCS Version Manager: C:\Program Files\Micro Focus\vm\common\libcerttool)
     
  2. Delete the files log4j-api-2.3.jar and log4j-core-2.3.jar
     
  3. Copy the files log4j-api-2.17.0.jar and log4j-core-2.17.0.jar from the attached ZIP file into the directory.
     
  4. Modify the file %PVCS_HOME%\common\bin\win64\certtool.bat

    Replace the lines:
     
    set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-api-2.3.jar;
    set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-core-2.3.jar;


    With:

    set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-api-2.17.0.jar;
    set CLASSPATH=%CLASSPATH%;%PVCS_HOME%\common\libcerttool\log4j-core-2.17.0.jar;

    As the updated files are not being used by the PVCS Version Manager Web Application Server (service) there is no need to restart that server, nor it there a need to reboot the machine.
 
For Linux/UNIX systems:
  1. Go to the directory $PVCS_HOME/vm/common/libcerttool

    (default for PVCS Version Manager: /usr/microfocus/vm/common/libcerttool)
     
  2. Delete the files log4j-api-2.3.jar and log4j-core-2.3.jar
     
  3. Copy the files log4j-api-2.17.0.jar and log4j-core-2.17.0.jar from the attached ZIP file into the directory.
     
  4. Modify the file $PVCS_HOME/common/bin/linux/certtool

    Replace the lines:

    CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-api-2.3.jar
    CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-core-2.3.jar


    With:

    CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-2.17.0.jar
    CLASSPATH=$CLASSPATH:$PVCS_HOME/common/libcerttool/log4j-core-2.17.0.jar

    As the updated files are not being used by the PVCS Version Manager Web Application Server there is no need to restart that server, nor it there a need to reboot the machine.

For the latest mitigation guidance, please refer to https://logging.apache.org/log4j/2.x/security.html

 

Attachment

File NameFile SizeDownLoad
libcerttool.zip 1.8MB HTTP

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs