Accurev Log4J vulnerability

We have identified log4J being used with accurev. Need to understand how to turn off log4j if it is using internally.

We have service tomcat, db, server and mosquito server running 

  • the impact of this issue is being reviewed by engineering.  I will provide an update when more information is available.

  • SUPPORT COMMUNICATION - SECURITY BULLETIN – AccuRev  

    Potential Security Impact: remote code execution

     

    VULNERABILITY SUMMARY

    A potential vulnerability has been identified in the Apache log4j library used by AccuRev’s Pulse web application.

    The vulnerability could be exploited to allow remote code execution.

    CVE References: CVE-2021-44228

     

    SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):

    AccuRev releases 7.3, 7.4, 7.5, 7.6

    CVSS Version 3.1 Metrics:

    Reference

    V3.1 Vector

    V3.1 Base Score

    CVE-2021-44228

    N/A

    N/A

     

    RESOLUTION:

    The vulnerability can be mitigated by disabling the lookup feature of log4j2.

    To do that, the following steps should be performed:

    1. Validate that the log4j-core jar libraries in use by AccuRev’s Pulse web application are of version 2.10.x to version 2.14.x.

      If at least one log4j-core jar library is of version 2.0.x to 2.9.x, then the below mitigation is NOT APPLICABLE -> Do not execute any of the steps below, and update to a newer version of AccuRev immediately.

      Please note that log4j jar libraries of version 1.x.x and log4j-core jar libraries of version 2.15.0 or higher are NOT subject to this vulnerability.

      An installation of AccuRev 7.3 through 7.6 has vulnerable libraries in this location:
      • <INSTALL_DIR>\WebUI\tomcat\webapps\pulse\WEB-INF\lib
    2. For Windows systems:
    • With an administrative command prompt, go to <INSTALL_DIR>\WebUI\tomcat\bin.
    • Run ”tomcat8w //ES//AccuRevTomcat“
      The “AccuRevTomcat Properties” UI will appear.
    • Select the Java tab and for “Java Options” add a new line with the content
      “-Dlog4j2.formatMsgNoLookups=true”. This setting is case sensitive.
    • Click Apply.
    • Select the General tab.
    • Click Stop.
    • When enabled, click Start.

     

    1. For Linux systems:
    • With appropriate access rights, use a text editor to create a new file <INSTALL_DIR>/WebUI/tomcat/bin/setenv.sh with the following contents:

      #!/bin/sh
      JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"
    • Tomcat must be restarted for this change to take effect.

     

    A new AccuRev version for upgrade will be provided soon.

    For the latest mitigation guidance, please refer to logging.apache.org/.../security.html