Fix Readme
Abstract
The IBM Spectrum Scale CVE-2021-44228 eFix readme file lists important information about installing the CVE-2021-44228 fix. The instructions for installing this fix are the same for the IBM Spectrum Scale releases 5.1.2.X, 5.1.1.X, 5.1.0.X and 5.0.5.X.
Content
# Problem Description
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to true or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
IBM Spectrum Scale and IBM Elastic Storage System bundle Apache Log4j. Apache Log4j versions before 2.15.0 are susceptible to this vulnerability that might allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Java logging library. By sending a specially crafted string value, an attacker might exploit this vulnerability to execute arbitrary code on the system
Flash has been published capturing all details with possible remediation plan and can be found at https://www.ibm.com/support/pages/node/6526202
Flash has been published capturing all details with possible remediation plan and can be found at https://www.ibm.com/support/pages/node/6526202
# References
https://www.ibm.com/support/pages/node/6526202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.ibm.com/support/pages/node/6526202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
# Steps to install
GUI is the only component that uses the log4j2.13.0 library of Apache. The CVE-2021-44228 fix needs to be installed on the customer environment to remove this vulnerability. Follow these steps to apply the fix:
- Download respective GUI rpm/deb package from IBM Fix Central
For example: Spectrum_Scale_CVE-2021-44228-5.1.2.1-2-x86_64-Linux - Stop GUI service on all cluster nodes where GUI is running (#systemctl stop gpfsgui)
- Install GUI fix across all cluster nodes with the GUI rpm installed command
For SLES and RHEL:
rpm -Uvh gpfs.*.rpm
For Ubuntu:
dpkg -i gpfs.*.deb - Start the GUI service (#systemctl start gpfsgui)
# Verification steps to check whether GUI is pulling the correct log4j version (v2.16.0)
- Run command unzip -l /opt/ibm/wlp/usr/servers/gpfsgui/apps/ROOT.war | more | grep "log4j" from cluster node
- Look for JAR files placed inside /WEB-INF/lib
- You find two libraries (JAR files)
a. log4j-api-2.16.0.jar
b.log4j-core-2.16.0.jar
[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STXKQY","label":"IBM Spectrum Scale"},"ARM Category":[{"code":"a8m0z0000008ZpTAAU","label":"Do Not Use-\u003EAdministration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0.5;5.1.0;5.1.1;5.1.2"}]
Was this topic helpful?
Document Information
Modified date:
20 December 2021
UID
ibm16528416