IBM Support

Control Center Critical Vulnerability Alert CVE-2021-44228

Troubleshooting


Problem

Apache has disclosed a critical vulnerability CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

Symptom

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all versions from 2.0-beta9 to 2.14.1

Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Cause

Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

Resolving The Problem

Apply the latest iFix for 6.1.3.0, 6.2.0.0, 6.2.1.0 from IBM Fix Central see links below.

Work around till fix is applied, or for older versions were fixes are no longer made.

IBM Sterling Control Center

Instructions to mitigate CVE-2021-44228 zero day log4j2 vulnerability

Specify the following system property to the files listed below, then restart Control Center:

-Dlog4j2.formatMsgNoLookups=true   

======================================================  

Unix: <install>/bin/runEngine.sh

Add the following line to the grouping beginning with “JAVA_SYSTEM_VAR=”   

JAVA_SYSTEM_VAR="$JAVA_SYSTEM_VAR -Dlog4j2.formatMsgNoLookups=true "

======================================================   

Windows:  <install>/bin/runEngine$.lax

Add the property to the lax.nl.java.option.additional section as follows:

lax.nl.java.option.additional=-server -Xbootclasspath/p: -XX:+UseParallelGC -XX:+HeapDumpOnOutOfMemoryError -Xms256m -Xmx4096m -Dopenjpa.DynamicEnhancementAgent=false -Djava.util.Arrays.useLegacyMergeSort=true -Dfile.encoding=UTF-8 -Dlog4j.debug=false -Djava.util.logging.config.file=../conf/javalogging.properties -Dlog4j.defaultInitOverride=true -Dlog4j.configurationFile=../conf/EngineLogger.xml -DBrowserAgent=true -DCONFIG_DIR=../conf -DADD_ACTIVE_ALERTS_TO_DB_USING_OPENJPA=true -DLAUNCH_MODE=service -Djava.security.properties=../conf/CC_java.security -Djava.net.preferIPv4Stack=true  -Dlog4j2.formatMsgNoLookups=true

=========================================================   

Control Center 6.2.x

<install>/web/ccbase/start.ini

Add the following line:  -Dlog4j2.formatMsgNoLookups=true  

==========================================================   

Control Center 6.1.x (and earlier)

<install>/web/wlp/usr/servers/defaultServer/jvm.options

Add the following line:  -Dlog4j2.formatMsgNoLookups=true  

===========================================================       

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9GLA","label":"IBM Control Center"},"ARM Category":[{"code":"a8m0z000000cwVyAAI","label":"ENGINE"}],"ARM Case Number":"TS007790083","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1.2;6.1.3"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJC3O","label":"IBM Sterling Control Center Monitor"},"ARM Category":[{"code":"a8m0z000000cwVyAAI","label":"ENGINE"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.2.0;6.2.1"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNG8A","label":"IBM Sterling Control Center Director"},"ARM Category":[{"code":"a8m0z000000cwVyAAI","label":"ENGINE"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 December 2021

UID

ibm16525828

Page Feedback