Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
SUPPORT COMMUNICATION - SECURITY BULLETIN
Potential Security Impact: Remote code execution
VULNERABILITY SUMMARY
A potential vulnerability has been identified in the Apache log4j library used by GroupWise.
The vulnerability could be exploited to allow remote code execution.
SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):
GroupWise – 18.3
GroupWise – 18.3.1
UNSUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):
GroupWise – 18.0
GroupWise – 18.0.1
GroupWise – 18.0.2
GroupWise – 18.1
GroupWise – 18.1.1
GroupWise – 18.2
GroupWise – 18.2.1
CVSS Version 3.1 Metrics:
Reference | V3.1 Vector | V3.1 Base Score |
CVE-2021-44228 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 10.0 |
RESOLUTION:
The vulnerability can be mitigated by upgrading to field test file builds for versions 18.3.1 and 18.2.1 which can obtained by contacting support. If you are unable to upgrade, the vulnerability can be mitigated by disabling the lookup feature of log4j by removing the JndiLookup class from Log4j for each of the GroupWise components affected: GroupWise Administration, GroupWise Calendar Server and GroupWise Web applications.
To remove the vulnerable JndiLookup class for GroupWise Admin on Linux, perform the following steps using an account that has root privileges:
zip –q -d log4j-core.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
chmod -R 0775 ./gwadmin-console
zip –q -d log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For earlier versions of GroupWise the version of log4j-core may differ. Adjust the command to match the log4j-core version.
chmod -R 0555 ./gwadmin-console
To remove the vulnerable JndiLookup class for GroupWise Admin on a Windows Server, perform the following steps using an account that is a member of the Administrators group:
zip –q -d log4j-core.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip –q -d log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For earlier versions of GroupWise the version of log4j-core may differ. Adjust the command to match the log4j-core version.
zip –q -d log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For earlier versions of GroupWise the version of log4j-core may differ. Adjust the command to match the log4j-core version.
To remove the vulnerable JndiLookup class for GroupWise Calendar Server, the following steps should be performed:
zip -q -d log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For earlier versions of GroupWise the version of log4j-core may differ. Adjust the command to match the log4j-core version.
New 18.3.1 and 18.2.1 GroupWise versions will soon be available for upgrade.
Steps are still being verified for removing the vulnerable JndiLookup class for affected GroupWise web applications. This document will be updated as soon as these steps are available.
Top Comments