Fortify Software Security Center & CVE-2021-44228

Fortify SSC v20.* is vunerable with respect to CVE-2021-44228.

Any experience using the Log4J settings work around? 

  • Statement made available from Micro Focus legal around 12/12/2021 @ 5:34 pm CST.

    1. Are you aware of Log4J or Logshell/LogJam ( CVE-2021-44228 )?
      Yes, and at this point Micro Focus’ review has found no indications of a vulnerability being exploited. We continue to monitor closely.
    2. What is Micro Focus doing?
      • The appropriate security teams are fully engaged and have been since we were first alerted on Friday. 
      • We are following Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Centre (NCSC) guidance on this issue.
      • In addition, Micro Focus has implemented a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest and 3rd Party Component Monitoring. Using these formal processes, we are working through this subject. 
      • At the Micro Focus network enterprise level our internal security tooling has been updated and we will continue to monitor our operations for issues.  

    ----

    If you've identified anything to the contrary you can report it here: www.microfocus.com/.../product-security-response-center

  • Hi Ebell,

    We can create a template at the audit workbanch to block any project what contain call to lib org.apache.logging.log4j:log4j-core? If is posible, can you tel me how?

  • @ebell. Can you clarify, are you saying (a) that your SSC software is not susceptible to the vulnerability even though it contains impacted versions of log4j, or (b) that you are not aware of any exploits on your hosted SSC/Scan central service?

    If there is an official position statement on this issue, please can you post a link?

  • David, that's all I have at the moment. I know CyberRes and each product is working toward further specifics.

  • In my client enviroment I've (stopped tomcat service and) replaced 

    on SSC
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-slf4j-impl-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\iidmigrator\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\iidmigrator\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\runtime-bridge\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\runtime-bridge\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-jul-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-slf4j-impl-2.14.1.jar

    on ScanCentral SAST controller
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-1.2-api-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-jcl-2.14.1.jar

    to the proper log4j-*-2.15.0.jar files extracted from latest Log4j version downloaded from logging.apache.org/.../download.html

    Can Microfocus confirm that this mitigation resolves CVE-2021-44228 vulnerability??

    thanks 

    -- 
    Pawel

  • My recommendation would be to follow the information provided in the above-referenced links and product security bulletins. If you need additional assistance, clarification, etc. please open a ticket with support.