Related Tips & Info

ALM mitigation of 'log4j' compromise - CVE-2021-44228

PhilTrostel
2 Likes

About this vulnerability:
The zero-day critical vulnerability of Apache Log4j2 is disclosed recently, and the CVE is published as CVE-2021-44228. For details see: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Apache Log4j2 is a Java-based logging library which is used by ALM and Octane application server and QIS (AKA: Global Search).
 
Security Impact:
- The issue concerns a case of unauthenticated, remote code execution (RCE). It is possible to execute malicious code and allow a complete takeover of vulnerable systems.
 
Affected Products:
- ALM/QC 15.5.0, 15.5.1 (SP1), 15.5.1 Patch 01, 15.5.1 Patch02, 16.0.0
- ALM Quality Insight – 1.0
- ALM Global Search - 15.5, 15.0.1, 12.60
Note: Global Search and Quality Insight are independent services which require separate installation from ALM

Products not affected:
- ALM Synchronizer (a.k.a: Gossip)
- ALI, EI, MC extensions
- Jira plugin
- ALM Explorer, ALM Client launcher, WebRunner, QoT, MSI Generator

Mitigation Plan:
- For affected ALM versions, the previously indicated mitigation approach of disabling the log4j2 lookup feature is insufficient to handle this CVE. For information, see https://nvd.nist.gov/vuln/detail/CVE-2021-45046    
- We strongly advise you to mitigate this issue by using the hotfix that updates Log4j to version 2.17.1. For more information, please go to this link

- For the affected Quality Insight and Global Search, please follow instructions:
  - Global Search
  - Quality Insight
  - For ALM SaaS, all servers are patched

Summary of recent vulnerabilities and recommended mitigation method:
- CVE-2021-44228:
  - Update Log4j to version 2.16 and later, link

- CVE-2021-45046:
  - Update Log4j to version 2.16 and later, link

- CVE-2021-45105: 
  - ALM/Quality Center does not use the "non-default Pattern Layout with a Context Lookup" in Log4j in default configuration settings, so ALM is not affected, however, if the user customized the configuration and used this function, please review the mitigation method from here


If assistance in implementing the mitigation is needed please open a support ticket with Micro Focus Support

Labels:

Support Tip
Comment List
  •   in reply to Philip Rousseau

    It is updated in above content and you can also check here.

  •   in reply to Jerry2

    This is a scan from ISO:

    Index Query File Details[0, *, *log4j*, *, *, *, *, *, 10]:Directory Path

    Index Query File Details[0, *, *log4j*, *, *, *, *, *, 10]:File Name

    C:\Program Files (x86)\Micro Focus\Sprinter\Installations\Chrome\Extension\Agent\ThirdParty
    C:\Program Files (x86)\Micro Focus\Sprinter\Installations\Chrome\Extension\Agent\ThirdParty
    C:\Program Files (x86)\Micro Focus\Sprinter\Installations\Edge\Extension\Agent\ThirdParty
    C:\Program Files (x86)\Micro Focus\Sprinter\Installations\Edge\Extension\Agent\ThirdParty
    C:\Users\svsprak\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\pmapbmihblakhgodloklimjbaoohkiop\15.0.2.3122_0\Agent\ThirdParty
    C:\Users\svsprak\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\pmapbmihblakhgodloklimjbaoohkiop\15.0.2.3122_0\Agent\ThirdParty

    Chrome                                                 Edge

    15.0.2.3122_0

    log4javascript_lite_uncompressed.js
    log4javascript_uncompressed.js
    log4javascript_lite_uncompressed.js
    log4javascript_uncompressed.js
    log4javascript_lite_uncompressed.js
    log4javascript_uncompressed.js

  •   in reply to Mike_Engel_

    Can you show us more information like the path of the log4j files? There's no log4j inside Sprinter installation. Please give us more info to let us find out which product is referencing those jars.

    log4javascript* does not relevant at all.

  •  

    Sprinter browser extension uses log4j as well.  Any impact to Sprinter?

    - Here is an excerpt:

    log4j-1.2-api-2.13.0.jarv
    log4j-api-2.13.0.jarv
    log4j-core-2.13.0.jarv
    log4j-1.2-api-2.13.0.jar
    log4j-api-2.13.0.jar
    log4j-core-2.13.0.jar
    log4javascript_lite_uncompressed.js
    log4javascript_uncompressed.js
    log4javascript_lite_uncompressed.js
    log4javascript_uncompressed.js

  •   in reply to Danita Meads

    Global Search interfaces with ALM but is not within the ALM application. Global Search is its own host application which installs on Windows or Linux on apache-tomcat-8.0.30. A patch or mitigation procedure will be released for Global Search as soon as it is available.

  •  

    We are currently on 12.53 of ALM which I understand is not affected; however, you do indicate that in Global Search - all versions are impacted. Doesn't 12.53 include Global Search?

  •  

    We have log4j hotfix files with a procedure for ALM/Quality Center 15.5x and 16.x. Refer to the article here and the hotfix article here

    Notice: the hotfix is only applicable for ALM/Quality Center. It has not been QAed or approved in ALM Octane

  •   in reply to Mike Zhang

    Thank you for the clarification.

  •   in reply to Philip Rousseau

    You can follow above approach to mitigate this issue and we are working on the method to update log4j, and will publish it soon. As you may know, log4j 2.15 version still has some problems, so we'd want to assure all users have a fine solution.

  •   in reply to Mike Zhang

    How can we upgrade to Log4j 2.15 / 2.16 for ALM 15.5 ?

Related
Recommended

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.