Troubleshooting
Problem
Symptom
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Versions Affected: all versions from 2.0-beta9 to 2.14.1
Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
Cause
Resolving The Problem
Apply the latest iFix for 6.1.3.0, 6.2.0.0, 6.2.1.0 from IBM Fix Central see links below.
Work around till fix is applied, or for older versions were fixes are no longer made.
IBM Sterling Control Center
Instructions to mitigate CVE-2021-44228 zero day log4j2 vulnerability
Specify the following system property to the files listed below, then restart Control Center:
-Dlog4j2.formatMsgNoLookups=true
======================================================
Unix: <install>/bin/runEngine.sh
Add the following line to the grouping beginning with “JAVA_SYSTEM_VAR=”
JAVA_SYSTEM_VAR="$JAVA_SYSTEM_VAR -Dlog4j2.formatMsgNoLookups=true "
======================================================
Windows: <install>/bin/runEngine$.lax
Add the property to the lax.nl.java.option.additional section as follows:
lax.nl.java.option.additional=-server -Xbootclasspath/p: -XX:+UseParallelGC -XX:+HeapDumpOnOutOfMemoryError -Xms256m -Xmx4096m -Dopenjpa.DynamicEnhancementAgent=false -Djava.util.Arrays.useLegacyMergeSort=true -Dfile.encoding=UTF-8 -Dlog4j.debug=false -Djava.util.logging.config.file=../conf/javalogging.properties -Dlog4j.defaultInitOverride=true -Dlog4j.configurationFile=../conf/EngineLogger.xml -DBrowserAgent=true -DCONFIG_DIR=../conf -DADD_ACTIVE_ALERTS_TO_DB_USING_OPENJPA=true -DLAUNCH_MODE=service -Djava.security.properties=../conf/CC_java.security -Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true
=========================================================
Control Center 6.2.x
<install>/web/ccbase/start.ini
Add the following line: -Dlog4j2.formatMsgNoLookups=true
==========================================================
Control Center 6.1.x (and earlier)
<install>/web/wlp/usr/servers/defaultServer/jvm.options
Add the following line: -Dlog4j2.formatMsgNoLookups=true
===========================================================
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
15 December 2021
UID
ibm16525828