Which ArcSight products are vulnerable to the CVE?
What is the Patch Release Program or Mitigation for the topic?
Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Which ArcSight products are vulnerable to the CVE?
What is the Patch Release Program or Mitigation for the topic?
Is Arcmc affected by this cve? According to the link https://fossa.com/blog/log4j-log4shell-zero-day-vulnerability-impact-fixes/amp/
It mentions to upgrade log4j version to 2.15. I checked 8.2 connector and can see it uses version 2.13.
I have added the property as mentioned in the link above to the agent.wrapper.conf. Not sure if it is right location.. Any ideas.
Dlog4j2.formatMsgNoLookups=true
Is Arcmc affected by this cve? According to the link https://fossa.com/blog/log4j-log4shell-zero-day-vulnerability-impact-fixes/amp/
It mentions to upgrade log4j version to 2.15. I checked 8.2 connector and can see it uses version 2.13.
I have added the property as mentioned in the link above to the agent.wrapper.conf. Not sure if it is right location.. Any ideas.
Dlog4j2.formatMsgNoLookups=true
I got an answer from the ESM support how to mitigate this:
--------------------------------
As per your request, please be informed that only ESM 7.5 is impacted, pre-ESM 7.5 release versions are NOT impacted by this CVE.
Please follow the guidelines below to help mitigate this vulnerability on only ESM 7.5:
0. For ESM compact mode, please apply the steps on manager node. For ESM distributed mode, please apply the steps on all nodes
1. /etc/init.d/arcsight_services stop all
2. cd to $ARCSIGHT_HOME and do a find . -name 'log4j-core*.jar' (In ESM, the location is /opt/arcsight/manager/lib/modules/log4j-core-2.13.3.jar)
3. cd to directory where log4j-core* is present
4. Backup log4j-core-*.jar to a different location e.g. $ARCSIGHT_HOME/CVE-2021-44228
5. Unzip log4j-core-*.jar to verify the presence of JndiLookup class. (The below command will output the class)
a. unzip -t log4j-core-*.jar | grep -i jndilookup
6. Delete the file using this command
a. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
7. Unzip the file again to see to confirm that the file is removed. (No output will be displayed)
a. unzip -t log4j-core-*.jar | grep -i jndilookup
8. /etc/init.d/arcsight_services start all
Kindly note that only ESM mitigation steps have been approved by our security team. The other ArcSight products are still undergoing testing
----------------------------
Beside to the ESM case I opened a case for Logger 7 and SmartConnector 8.1 also.
When I get an statement for these products I'll share them.
Case responds for SmartConnector 8.1:
Regard to your concern, please be informed that Smart connector version 8.1 does not affected by CVE-2021-44228. However, smart connector version 8.2 is currently under our investigation and might be affected.
Our security and dev team are aware of this CVE and currently working on it.
In the meantime, please consider staying at 8.1 version and stop any plan for upgrading to later version until we have new information or update for this CVE.