This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CVE-2021-44228 - What products are vulnerable

Which ArcSight products are vulnerable to the CVE?
What is the Patch Release Program or Mitigation for the topic?

Parents
  • I got an answer from the ESM support how to mitigate this:
    --------------------------------
    As per your request, please be informed that only ESM 7.5 is impacted, pre-ESM 7.5 release versions are NOT impacted by this CVE.


    Please follow the guidelines below to help mitigate this vulnerability on only ESM 7.5:

    0. For ESM compact mode, please apply the steps on manager node. For ESM distributed mode, please apply the steps on all nodes
    1. /etc/init.d/arcsight_services stop all
    2. cd to $ARCSIGHT_HOME and do a find . -name 'log4j-core*.jar' (In ESM, the location is /opt/arcsight/manager/lib/modules/log4j-core-2.13.3.jar)
    3. cd to directory where log4j-core* is present
    4. Backup log4j-core-*.jar to a different location e.g. $ARCSIGHT_HOME/CVE-2021-44228
    5. Unzip log4j-core-*.jar to verify the presence of JndiLookup class. (The below command will output the class)
    a. unzip -t log4j-core-*.jar | grep -i jndilookup
    6. Delete the file using this command
    a. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    7. Unzip the file again to see to confirm that the file is removed. (No output will be displayed)
    a. unzip -t log4j-core-*.jar | grep -i jndilookup
    8. /etc/init.d/arcsight_services start all


    Kindly note that only ESM mitigation steps have been approved by our security team. The other ArcSight products are still undergoing testing
    ----------------------------

Reply
  • I got an answer from the ESM support how to mitigate this:
    --------------------------------
    As per your request, please be informed that only ESM 7.5 is impacted, pre-ESM 7.5 release versions are NOT impacted by this CVE.


    Please follow the guidelines below to help mitigate this vulnerability on only ESM 7.5:

    0. For ESM compact mode, please apply the steps on manager node. For ESM distributed mode, please apply the steps on all nodes
    1. /etc/init.d/arcsight_services stop all
    2. cd to $ARCSIGHT_HOME and do a find . -name 'log4j-core*.jar' (In ESM, the location is /opt/arcsight/manager/lib/modules/log4j-core-2.13.3.jar)
    3. cd to directory where log4j-core* is present
    4. Backup log4j-core-*.jar to a different location e.g. $ARCSIGHT_HOME/CVE-2021-44228
    5. Unzip log4j-core-*.jar to verify the presence of JndiLookup class. (The below command will output the class)
    a. unzip -t log4j-core-*.jar | grep -i jndilookup
    6. Delete the file using this command
    a. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    7. Unzip the file again to see to confirm that the file is removed. (No output will be displayed)
    a. unzip -t log4j-core-*.jar | grep -i jndilookup
    8. /etc/init.d/arcsight_services start all


    Kindly note that only ESM mitigation steps have been approved by our security team. The other ArcSight products are still undergoing testing
    ----------------------------

Children
  • Case responds for SmartConnector 8.1:
    Regard to your concern, please be informed that Smart connector version 8.1 does not affected by CVE-2021-44228. However, smart connector version 8.2 is currently under our investigation and might be affected.

    Our security and dev team are aware of this CVE and currently working on it.

    In the meantime, please consider staying at 8.1 version and stop any plan for upgrading to later version until we have new information or update for this CVE.

  • Case responds for Logger 7.0:

    Please be informed that Logger 7.0 is not affected by CVE-2021-44228. However, logger version 7.2 and higher version might be affected

    Our internal team are aware of this CVE and currently working on it. In the meantime, please avoid unnecessary upgradation until we have new update regard to this.