IBM Support

IBM Spectrum Scale Kafka CVE-2021-4104 eFix Readme

Fix Readme


Abstract

The IBM Spectrum Scale Kafka CVE-2021-4104 eFix readme file lists important information about installing the CVE-2021-4104 and CVE-2019-17571 fixes for IBM Spectrum Scale file audit logging and clustered watch folder, which makes use of the vulnerable gpfs.kafka rpm. The fix patches only the gpfs.kafka shipped components.

- For file audit logging and clustered watch folder the instructions apply to IBM Spectrum Scale Release 5.0.5.X only.

Note: If you upgrade to a PTF before 5.0.5.12, then you need to patch file audit logging and clustered watch folder with the fix again.

Content

# Problem Description
CVE-2021-4104 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue affects Log4j 1.2 only when configured to use JMSAppender, which is not the default. When JMSAppender is not enabled, Kafka is not vulnerable to the attack.
CVE-2019-17571 included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data, which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
The Flash capturing all details with possible remediation plan and can be found at https://www.ibm.com/support/pages/node/6551880 
# Prerequisite
The fix requires the zip and unzip package to be installed on every patching node.
# Steps to Install
For IBM Spectrum Scale file audit logging and clustered watch folder, the CVE-2021-4104 and CVE-2019-17571 fix needs to be installed on the customer environment to remove this vulnerability.
IBM Spectrum Scale File Audit Logging and Clustered Watch Folder Installation
Follow these steps to apply the fix for IBM Spectrum Scale File Audit Logging and Clustered Watch Folder:
1. Download the IBM Spectrum Scale file audit logging and clustered watch folder CVE-2021-4104 and CVE-2019-17571 eFix from IBM Fix Central. The Fix Central package is called Spectrum_Scale_Kafka_CVE-2021-4104-noarch-Linux and the fix script is called runLog4jV1Patcher.sh
2. Stop Zookeeper and Kafka services on all nodes
        Stop Zookeeper
                /usr/lpp/mmfs/bin/mmdsh -N kafkaZookeeperServers systemctl stop zookeeper.service

         Stop Kafka
                /usr/lpp/mmfs/bin/mmdsh -N kafkaBrokerServers systemctl stop kafka.service
3. From a single node on the cluster, run the mmdsh command for a listing of the nodes with the gpfs.kafka rpm installed:

         /usr/lpp/mmfs/bin/mmdsh -N all rpm -q gpfs.kafka
        scp the runLog4jV1Patcher.sh to all the clustered watch folder and file audit logging nodes
4. On each clustered watch folder and file audit logging node, run the runLog4jV1Patcher.sh script to check whether the JAR is patched.

         runLog4jV1Patcher.sh --check --dir /opt/kafka/kafka_<version>/libs
         For example:
         # ./runLog4jV1Patcher.sh --check --dir /opt/kafka/kafka_2.12-2.3.1/libs/
         File /opt/kafka/kafka_2.12-2.3.1/libs/log4j-1.2.17.jar is NOT patched, files found:
         org/apache/log4j/net/JMSAppender.class
         org/apache/log4j/net/SocketServer.class

        If you see the offending classes, JMSAppender.class and SocketServer.class, then you need to patch the JAR file by running the command in Step 5.
5. On each clustered watch folder and file audit logging node, run the runLog4jV1Patcher.sh script to remove the offending classes as follows:
        ./runLog4jV1Patcher.sh --dir /opt/kafka/kafka_<version>/libs
        The offending classes are removed from the JAR file in clustered watch folder and file audit logging.
        The default directory needs to be specified and is /opt/kafka/kafka_<version>/libs against the log4j-1.2.17.jar file.
6. On each clustered watch folder and file audit logging node, verify the offending class is removed from the Jar by running the runLog4jV1Patcher.sh script as follows:
        runLog4jV1Patcher.sh --check --dir /opt/kafka/kafka_<version>/libs
        For example:
        # ./runLog4jV1Patcher.sh --check --dir /opt/kafka/kafka_2.12-2.3.1/libs/
        File /opt/kafka/kafka_2.12-2.3.1/libs/log4j-1.2.17.jar is patched
7. Start Zookeeper and Kafka services on all nodes
        Start Zookeeper
                /usr/lpp/mmfs/bin/mmdsh -N kafkaZookeeperServers systemctl start zookeeper.service

        Start Kafka
                /usr/lpp/mmfs/bin/mmdsh -N kafkaBrokerServers systemctl start kafka.service
 

[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STXKQY","label":"IBM Spectrum Scale"},"ARM Category":[{"code":"a8m3p000000hAkCAAU","label":"FAL"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 January 2022

UID

ibm16550872

Page Feedback