Fix for Apache Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 for DLO version 9.6.

For more information see Veritas Technical Article 100052093

Description

CVE-2021-44228:
In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

CVE-2021-45046:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.

CVE-2021-45105 (DLO is not impacted by this vulnerability):Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
More information is available from the Apache Announcement. While this issue has been resolved in the Log4j 2.17.0, compatibility and installation of this version is still under investigation.
Currently, Veritas recommends applying the mitigation steps outlined below

CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. (DLO is not impacted by this vulnerability)
 

Issue

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3

CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
Severity: Critical
Base CVSS Score: 9.0
CVSS: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Severity: High
Base CVSS Score: 7.5
CVSS:7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Mitigation

Apply the following changes to address the vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
The below steps will upgrade the Log4j version to 2.17.0 and applicable only for DLO Version 9.6.

Steps to be followed from the Windows computer:

1. Extract the downloaded package Veritas_DLO_9.6_Log4J_Vulnerability_Fix.zip and follow the below steps.

2. In DLO Server machine, press "Win+R" and type "services.msc", then click OK.

The Windows Services Manager will appear. Stop the below services:

• Veritas DLO Web Server
• Mindtree StoreSmart Dedupe Server

3. Navigate to the path:

C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps
Take backup of DedupeServer.war file and "DedupeServer" folder on any local drive,
for example: C:\Backupfolder and delete the "DedupeServer.war" file and "DedupeServer" folder.

4. From the downloaded package, copy the "DedupeServer.war" file and paste it in the path:

C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps

5. From the below path, take backup of the existing log4j-api-2.13.3.0.jar and log4j-core-2.13.3.jar files and delete both the files

C:\Program Files\Veritas\Veritas DLO\Dedupe\lib

6. From the downloaded package, copy the "log4j-api-2.17.0.jar" and "log4j-core-2.17.0.jar" files and paste it in the path:

C:\Program Files\Veritas\Veritas DLO\Dedupe\lib

7. Navigate to the path:

C:\Program Files\Veritas\Veritas DLO\IOServer\Tomcat\webapps

Take backup of DLOServer.war file and "DLOServer" folder on any local drive,

for example: C:\Backupfolder and delete the "DLOServer.war" file and "DLOServer" folder.

8. From the downloaded package, copy the " DLOServer.war " file and paste it in the path:

C:\Program Files\Veritas\Veritas DLO\IOServer\Tomcat\webapps

9. From the below path, take backup of the existing log4j-api-2.13.3.0.jar and log4j-core-2.13.3.jar files and delete both the files

C:\Program Files\Veritas\Veritas DLO\IOServer\lib

10. From the downloaded package, copy the "log4j-api-2.17.0.jar" and "log4j-core-2.17.0.jar" files and paste it in the path:

C:\Program Files\Veritas\Veritas DLO\IOServer\lib

11. In DLO Server machine, press "Win+R" and type "services.msc", then click OK.

The Windows Services Manager will appear. Start the below services:

• Veritas DLO Web Server
• Mindtree StoreSmart Dedupe Server

12.. Go to the backed up folder, for e.g. C:\Backupfolder, copy the context.xml file from the path C:\Backupfolder\DedupeServer\ META-INF and replace it in the below path,

C:\Program Files\Veritas\Veritas DLO\Dedupe\Tomcat\webapps\DedupeServer\META-INF

13. Go to the backed up folder, for e.g. C:\Backupfolder, copy the context.xml file from the path C:\Backupfolder\DLOServer\META-INF and replace it in the below path,

C:\Program Files\Veritas\Veritas DLO\IOServer\Tomcat\webapps\DLOServer\META-INF

14. In DLO Server machine, press "Win+R" and type "services.msc", then click OK.

The Windows Services Manager will appear. Restart the below services:

• Veritas DLO Web Server
• Mindtree StoreSmart Dedupe Server

Note: In the above steps, file path may differ if DLO Server is installed in a custom path and also for files backed up in different path.

To prevent vulnerability scanners from flagging older files

1. Delete C:\Program Files\Veritas\Veritas DLO\Dedupe\DedupeServer_mssql.war and C:\Program files\Veritas\Veritas DLO\IOServer\DedupeServer.war

2. Extract files from this hotfix

3 Copy the DedupeServer.war file from the files extracted from this Hotfix into

C:\Program Files\Veritas\Veritas DLO\Dedupe

4. Rename Dedupserver.war to DedupeServer_mssql.war

5. Copy the DedupeServer.war file into C:\Program files\Veritas\Veritas DLO\IOServer

Note: In the above steps, file path may differ if DLO Server is installed in a custom path and also for files backed up in different path.