ALM mitigation of 'log4j' compromise - CVE-2021-44228

2 Likes

About this vulnerability:
The zero-day critical vulnerability of Apache Log4j2 is disclosed recently, and the CVE is published as CVE-2021-44228. For details see: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Apache Log4j2 is a Java-based logging library which is used by ALM and Octane application server and QIS (AKA: Global Search).
 
Security Impact:
- The issue concerns a case of unauthenticated, remote code execution (RCE). It is possible to execute malicious code and allow a complete takeover of vulnerable systems.
 
Affected Products:
- ALM/QC 15.5.0, 15.5.1 (SP1), 15.5.1 Patch 01, 15.5.1 Patch02, 16.0.0
- ALM Quality Insight – 1.0
- ALM Global Search - 15.5, 15.0.1, 12.60
Note: Global Search and Quality Insight are independent services which require separate installation from ALM

Products not affected:
- ALM Synchronizer (a.k.a: Gossip)
- ALI, EI, MC extensions
- Jira plugin
- ALM Explorer, ALM Client launcher, WebRunner, QoT, MSI Generator

Mitigation Plan:
- For affected ALM versions, the previously indicated mitigation approach of disabling the log4j2 lookup feature is insufficient to handle this CVE. For information, see https://nvd.nist.gov/vuln/detail/CVE-2021-45046
    
- We strongly advise you to mitigate this issue by using the hotfix that updates Log4j to version 2.17.1. For more information, please go to this link

- For the affected Quality Insight and Global Search, please follow instructions:
  - Global Search
  - Quality Insight
  - For ALM SaaS, all servers are patched

Summary of recent vulnerabilities and recommended mitigation method:
- CVE-2021-44228:
  - Update Log4j to version 2.16 and later, 
link

- CVE-2021-45046:
  - Update Log4j to version 2.16 and later, 
link

- CVE-2021-45105: 
  - ALM/Quality Center does not use the "non-default Pattern Layout with a Context Lookup" in Log4j in default configuration settings, so ALM is not affected, however, if the user customized the configuration and used this function, please review the mitigation method from here


If assistance in implementing the mitigation is needed please open a support ticket with Micro Focus Support

Labels:

Support Tip
Comment List
Anonymous
Parents
  • Understand the log4j does not affect 15.01 (currently installed); however, my company is adamant we upgrade to 2.17. For 15.01 installations, what is the file used for in our installation and can we delete the file? There's only the log4j.jar in our installation, none of the -api or -core files on our system.

    If we cannot delete the files, is there a way to upgrade them? Thanks.

Comment
  • Understand the log4j does not affect 15.01 (currently installed); however, my company is adamant we upgrade to 2.17. For 15.01 installations, what is the file used for in our installation and can we delete the file? There's only the log4j.jar in our installation, none of the -api or -core files on our system.

    If we cannot delete the files, is there a way to upgrade them? Thanks.

Children
  • There are API changes from log4j 1.x to 2.x, so we cannot simply replace them. We cannot delete them either, since they are used by the product. So, my suggestion is, 1. upgrade to 15.5 or higher version on which you can upgrade log4j manually to the highest version (hotfix); 2. wait for the 15.0.1 formal patch which is scheduled on April 2022.

Related Discussions
Recommended