CVE-2021-44228 vulnerability for GroupWise

0 Likes

SUPPORT COMMUNICATION - SECURITY BULLETIN
Potential Security Impact: Remote code execution

VULNERABILITY SUMMARY
A potential vulnerability has been identified in the Apache log4j library used by GroupWise.
The vulnerability could be exploited to allow remote code execution.

CVE References: CVE-2021-44228


SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):
GroupWise – 18.3
GroupWise – 18.3.1

UNSUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):
GroupWise – 18.0
GroupWise – 18.0.1
GroupWise – 18.0.2
GroupWise – 18.1
GroupWise – 18.1.1
GroupWise – 18.2
GroupWise – 18.2.1

CVSS Version 3.1 Metrics:

Reference V3.1 Vector V3.1 Base Score

CVE-2021-44228

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0


RESOLUTION:
The vulnerability can be mitigated by upgrading to field test file builds for versions 18.3.1 and 18.2.1 which can obtained by contacting support.  If you are unable to upgrade, the vulnerability can be mitigated by disabling the lookup feature of log4j by removing the JndiLookup class from Log4j for each of the GroupWise components affected: GroupWise Administration, GroupWise Calendar Server and GroupWise Web applications.
To remove the vulnerable JndiLookup class for GroupWise Admin on Linux, perform the following steps using an account that has root privileges:

  1. In a terminal window go to the GroupWise Server software directory – ie - /opt/novel/groupwise.

 

  1. Go to the admin/lib directory. Run the following command to remove JndiLookup.class from log4j-core.jar:


zip –q -d log4j-core.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 

  1. Go to the admin/webapps directory. Run the following commands to remove DENY WRITE access:


chmod -R 0775 ./gwadmin-console
 

  1. Go to the admin/webapps/gwadmin-console/WEB-INF/lib directory. Run the following command to remove JndiLook.class from log4j-core.2.13.3.jar:


zip –q -d log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

For earlier versions of GroupWise the version of log4j-core may differ. Adjust the command to match the log4j-core version.

 

  1. Go to the admin/webapps directory. Run the following commands to restore DENY WRITE acc


chmod -R 0555 ./gwadmin-console

To remove the vulnerable JndiLookup class for GroupWise Admin on a Windows Server, perform the following steps using an account that is a member of the Administrators group:

  1. Using File Explorer go to the GroupWise Server installation directory.

 

  1. Select the admin\lib\webapps\gwadmin-console directory, right-click and select Properties. Select the Security tab and click Edit. In the “Group or user names” list select Administrators then in the Permissions window unselect “Write” in the “Deny” column. Click Ok to save changes. Click Ok to return to the directory list.

 

  1. Repeat step #2 for the admin\lib\webapps\gwadmin-service directory.

 

  1. Leave File Explorer running and launch a Command window as Administrator.

 

  1. In a terminal go to the GroupWise Server installation directory.

 

  1. Go to the admin\lib directory. Run the following command to remove JndiLookup.class from log4j-core.jar:


zip –q -d log4j-core.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 

  1. Go to the admin\webapps\gwadmin-console\WEB-INF\lib directory. Run the following command to remove JndiLook.class from log4j-core.2.13.3.jar:


zip –q -d log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

For earlier versions of GroupWise the version of log4j-core may differ. Adjust the command to match the log4j-core version.
 

  1. Go to the admin\webapps\gwadmin-service\WEB-INF\lib directory. Run the following command to remove JndiLook.class from log4j-core.2.13.3.jar:


zip –q -d log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

For earlier versions of GroupWise the version of log4j-core may differ. Adjust the command to match the log4j-core version.
 

  1. In File Explorer select the admin\lib\webapps\gwadmin-console directory, right-click and select Properties. Select the Security tab and click Edit. In the “Group or user names” list select Administrators then in the Permissions window select “Write” in the “Deny” column. Click Ok to save changes. Click Ok to return to the directory list.

 

  1. Repeat step #8 for the admin\lib\webapps\gwadmin-service directory.


To remove the vulnerable JndiLookup class for GroupWise Calendar Server, the following steps should be performed:

  1. In a terminal go to the directory runner/lib under the GroupWise Calendar Server installation directory (/opt/novell/groupwise/calsvr by default).

 

  1. Run the following command to remove JndiLookup.class from log4j-core.jar:


zip -q -d log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

For earlier versions of GroupWise the version of log4j-core may differ. Adjust the command to match the log4j-core version.


New 18.3.1 and 18.2.1 GroupWise versions will soon be available for upgrade.

Steps are still being verified for removing the vulnerable JndiLookup class for affected GroupWise web applications.  This document will be updated as soon as these steps are available.

Labels:

Support Tip
Comment List
Parents Comment Children
Related
Recommended