Skip to main content
Deutsch Español Español (Latinoamérica) Français Français (Canada) Italiano 日本語 한국어 Latviešu Polski Português Português do Brasil 简体中文

Stratusphere Apache Log4j Vulnerability Hotfix (CVE-2021-45046 & CVE-2021-44228)

Ryan Wilp
  • Updated

Product: Stratusphere FIT/UX

Product Version: 6.1.5, 6.5.0, 6.5.1, 6.5.1-1, 6.5.1-2

Expires on: 365 days from publish date

Updated: Dec 16, 2021

 

Problem:

Log4j vulnerability described here: https://access.redhat.com/security/cve/cve-2021-44228

Versions 6.1.5 thru 6.5.1-2 Stratusphere Hub and Collector appliances are affected, the Stratusphere Database appliance is not affected.

Stratusphere versions 6.1.4 and older are not affected.

 

### UPDATE ###

Additional vulnerability has been identified by Apache and revised with version 2.17 of the log4j component.  Regarding CVE-2021-45105 - This configuration is not currently deployed by our product and therefore not impacted by the vulnerability.

The patch as it stands is current and an updated log4j component will be live in 6.6.0 at the beginning of the year.

 

ProfileUnity and all of its 3rd party components including MondoDB are not impacted by CVE-2021-45046 & CVE-2021-44228**

(ProfileUnity does not ship with MongoDB Atlas Search which is affected.)

https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb 

 

Resolution:

A hotfix is available that mitigates the vulnerability by removing the JndiLookup class from the log4j-core jar (Issue description information).  You can see the class that needs to be disabled by running this command as root.  Once the patch is implemented, the command will come back with no output:

  • unzip -l /opt/tnt/lib/java/log4j-core-*.jar | grep JndiLookup
2892 05-10-2020 12:08 org/apache/logging/log4j/core/lookup/JndiLookup.class


PLEASE POWER DOWN EACH APPLICABLE APPLIANCE AND TAKE A SNAPSHOT BEFORE IMPLEMENTING.  Only remove the snapshot once functionality is confirmed post-patch.  To implement the fix:  

1. For appliances with internet access, download and apply the CVE-2021-44228.sh locally on each Hub and Collector via Liquidware repository.

a. SSH to each appliance as friend for on-prem deployments, ec2-user for AWS, azureuser or unique username for Azure.

b. Run the following commands. Be sure the sha256sum matches before executing the shell script:

        • sudo bash
        • cd /tmp
        • wget https://cdn.liquidware.com/stratusphere/hotfix/CVE-2021-44228.1.sh 
        • sha256sum CVE-2021-44228.1.sh 
          1360335130de9b739139bbdb98333883ec2dcc0c184fad52d59f45d281885790 CVE-2021-44228.1.sh
        • sh CVE-2021-44228.1.sh

2. For appliances without internet access, use this link to download the shell script CVE-2021-44228.sh to your desktop.  Right click and "Save Link As" to download.  Do NOT open the file on a Windows machine because it may add DOS formatting.

a. Use WinSCP or a similar application to SFTP the patch to each HUB and Collector as friend for on-prem deployments, ec2-user for AWS, azureuser or unique username for Azure.  Place the file in the /tmp directory of each appliance.

b. SSH to each appliance using the same username in the previous step.  Run the following commands, and be sure the sha256sum matches before executing the shell script:

        • sudo bash
        • cd /tmp
        • sha256sum CVE-2021-44228.1.sh 
          1360335130de9b739139bbdb98333883ec2dcc0c184fad52d59f45d281885790 CVE-2021-44228.1.sh
        • sh CVE-2021-44228.1.sh

Related articles