Security Bulletin
Summary
The Brocade SANnav Management Portal and Global View products do not directly use Log4j2, but other modules used by Brocade SANnav do call and contain Log4j2 code. Brocade SANnav does not expose direct access to these services. However, it is recommended to disable the vulnerable functionality even if the system is believed to not be exploitable with the currently available information.
Vulnerability Details
CVEID: CVE-2021-44228
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system.
Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| SANnav | 2.0.x |
| SANnav | 2.1.x |
Remediation/Fixes
-
The Brocade SANnav Management Portal and Global View products do not directly use Log4j2, but other modules used by Brocade SANnav do call and contain Log4j2 code. Brocade SANnav does not expose direct access to these services, and the Brocade SANnav may not be exploitable. However, it is recommended to disable the vulnerable functionality even if the system is believed to not be exploitable.
The remediation recommendation provided in this document should be applied to all versions of Brocade SANnav 2.1.1.
Note: The specified remediation steps (both for SANnav Management Portal and Global View), and the properties modified will be lost if there is an action to restore to the server. Repeat these same steps after a restore to the server is made.
For versions of SANnav older than 2.1.1 (i.e. SANnav 2.1.0a and below), it is recommended to first upgrade to Brocade SANnav 2.1.1 and then apply the recommended remediation steps.
Brocade SANnav 2.2.0 will have the vulnerable functionality disabled prior to release.
Solution: Remediation Recommendation Steps for SANnav 2.1.1
Remediation steps to disable vulnerable functionality within the Brocade SANnav 2.1.1 Management Portal and SANnav 2.1.1 Global View products are shown here:
The same remediation steps are not required to be performed on the Brocade future SANnav 2.2.0
Management Portal or Brocade SANnav 2.2.0 Global View versions as the vulnerable
functionality is disabled in the 2.2.0 version of Brocade SANnav
|
SANNav Management Portal |
|
SANnav 2.1.1 with Base/Enterprise License to manage up to 3000 ports - 48GB <= Memory <= 96GB |
|
Step #1: |
Step #2:
Stop SANnav Server
Run the script stop-sannav.sh.
Use the script <SANnav Installation Folder>/bin/stop-sannav.sh
Step #3:
Run the following commands
For example: /opt/Portal_2.1.1_bld184/bin/stop-sannav.sh
docker service update --env-add "SCHEMA_REGISTRY_JMX_OPTS=-Dlog4j2.formatMsgNoLookups=true -Dcom.sun.management.jmxremote=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false" dcm_2_1_1_schema-registry
docker service update --env-add "KAFKA_JMX_OPTS=-Dlog4j2.formatMsgNoLookups=true -Dcom.sun.management.jmxremote=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false" dcm_2_1_1_kafka-1
Step #4:
Open the following file in an editor (vi/vim etc.) and add the below highlighted property and save the file.
File to update: <SANnav Installation Folder>/conf/elasticsearch/jvm.options
For example: /opt/Portal_2.1.1_bld184/conf/elasticsearch/jvm.options
Add the highlighted property
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j2.formatMsgNoLookups=true
Step #5:
Start SANnav server.
Run the script start-sannav.sh
You can run <SANnav Installation Folder>bin/start-sannav.sh
For example: /opt/Portal_2.1.1_bld184/bin/start-sannav.sh
Wait few minutes and verify the login to client
SANNav Management Portal
SANnav 2.1.1 with Enterprise License to manage 15000 ports - Memory >= 96G
Step #1:
Login to SANnav server as root user
Step #2:
Stop SANnav Server
Run the script stop-sannav.sh.
Use the script <SANnav Installation Folder>/bin/stop-sannav.sh
For example: /opt/Portal_2.1.1_bld184/bin/stop-sannav.sh
Step #3:
Run the following commands
docker service update --env-add "JVM_OPTS=-server -Xms6144m -Xmx6144m -Dlog4j2.formatMsgNoLookups=true -XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ScavengeBeforeFullGC -XX:+DisableExplicitGC -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/ignite/gridgain-professional-fabric-2.5.11/work/log -XX:+ExitOnOutOfMemoryError -XX:+PrintGC -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=3 -XX:GCLogFileSize=100M -Xloggc:/opt/ignite/gridgain-professional-fabric-2.5.11/work/log/ignite-grid-node1-gc.log" dcm_2_1_1_ignite-grid-node1
docker service update --env-add "SCHEMA_REGISTRY_JMX_OPTS=-Dlog4j2.formatMsgNoLookups=true -Dcom.sun.management.jmxremote=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false" dcm_2_1_1_schema-registry
docker service update --env-add "KAFKA_JMX_OPTS=-Dlog4j2.formatMsgNoLookups=true -Dcom.sun.management.jmxremote=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false" dcm_2_1_1_kafka-1
Step #4:
Open the following file in an editor (vi/vim etc.) and add the below highlighted property and save the file.
File to update: <SANnav Installation Folder>/conf/elasticsearch/jvm.options
For example: /opt/Portal_2.1.1_bld184/conf/elasticsearch/jvm.options
Add the highlighted property.
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j2.formatMsgNoLookups=true
Step #5:
Start SANnav server
Run the script start-sannav.sh.
You can run <SANnav Installation Folder>bin/start-sannav.sh
For example: /opt/Portal_2.1.1_bld184/bin/start-sannav.sh
Wait few minutes and verify the login to client
SANnav Global View
Steps for SANnav Global View 2.1.1
Step #1:
Login to the server as root
Step #2:
Stop SANnav Global Server
Run the script stop-sannav.sh.
Use the script <SANnav Global View Installation Folder>/bin/stop-sannav.sh
For example: /opt/Global_2.1.1_bld184/bin/stop-sannav.sh
Step #3:
Run the following commands
docker service update --env-add "KAFKA_JMX_OPTS=-Dlog4j2.formatMsgNoLookups=true -Dcom.sun.management.jmxremote=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false" dcm_2_1_1_kafka
Step #4:
Start SANnav server
Run the script start-sannav.sh
You can run <SANnav Global View Installation Folder>bin/start-sannav.sh
For example: /opt/Global_2.1.1_bld184/bin/start-sannav.sh
Wait few minutes and verify the login to client
Workarounds and Mitigations
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
15 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
20 December 2021
Initial Publish date:
15 December 2021
UID
ibm16527216