This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CVE-2021-44228 - What products are vulnerable

Which ArcSight products are vulnerable to the CVE?
What is the Patch Release Program or Mitigation for the topic?

  • 0

    Good question. We need information about this topic. 

  • 0

    As far as I can see in our environment **at least** below products and versions are vulnerable. Log4j-(core|api)-2.13.3.jar files are found on them. 

    Smartconnector 8.2 
    Logger 7.2
    ESM 7.5

  • 0 in reply to 

    Is Arcmc affected by this cve? According to the link https://fossa.com/blog/log4j-log4shell-zero-day-vulnerability-impact-fixes/amp/

    It mentions to upgrade log4j version to 2.15. I checked 8.2 connector and can see it uses version 2.13.

    I have added the property as mentioned in the link above to the agent.wrapper.conf. Not sure if it is right location.. Any ideas.

    Dlog4j2.formatMsgNoLookups=true

  • 0

    Is Arcmc affected by this cve? According to the link https://fossa.com/blog/log4j-log4shell-zero-day-vulnerability-impact-fixes/amp/

    It mentions to upgrade log4j version to 2.15. I checked 8.2 connector and can see it uses version 2.13.

    I have added the property as mentioned in the link above to the agent.wrapper.conf. Not sure if it is right location.. Any ideas.

    Dlog4j2.formatMsgNoLookups=true

  • 0 in reply to 

    For ArcMC 3.0, there is no log4j-core. (other than the connector installed on it. in our case v8.2) 

  • 0  

    I got an answer from the ESM support how to mitigate this:
    --------------------------------
    As per your request, please be informed that only ESM 7.5 is impacted, pre-ESM 7.5 release versions are NOT impacted by this CVE.


    Please follow the guidelines below to help mitigate this vulnerability on only ESM 7.5:

    0. For ESM compact mode, please apply the steps on manager node. For ESM distributed mode, please apply the steps on all nodes
    1. /etc/init.d/arcsight_services stop all
    2. cd to $ARCSIGHT_HOME and do a find . -name 'log4j-core*.jar' (In ESM, the location is /opt/arcsight/manager/lib/modules/log4j-core-2.13.3.jar)
    3. cd to directory where log4j-core* is present
    4. Backup log4j-core-*.jar to a different location e.g. $ARCSIGHT_HOME/CVE-2021-44228
    5. Unzip log4j-core-*.jar to verify the presence of JndiLookup class. (The below command will output the class)
    a. unzip -t log4j-core-*.jar | grep -i jndilookup
    6. Delete the file using this command
    a. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    7. Unzip the file again to see to confirm that the file is removed. (No output will be displayed)
    a. unzip -t log4j-core-*.jar | grep -i jndilookup
    8. /etc/init.d/arcsight_services start all


    Kindly note that only ESM mitigation steps have been approved by our security team. The other ArcSight products are still undergoing testing
    ----------------------------

  • 0

    thanks Alex.

    I opened a case regarding the CVE but I didn't receive any answer yet.

    in our environment we also installed the transformation hub and recon so if any one got news regarding thus product please share.

  • 0   in reply to 

    Beside to the ESM case I opened a case for Logger 7 and SmartConnector 8.1 also.
    When I get an statement for these products I'll share them.

  • 0

    Did anyone get mitigation recommendations for SmartConnector yet?

  • 0   in reply to   

    Case responds for SmartConnector 8.1:
    Regard to your concern, please be informed that Smart connector version 8.1 does not affected by CVE-2021-44228. However, smart connector version 8.2 is currently under our investigation and might be affected.

    Our security and dev team are aware of this CVE and currently working on it.

    In the meantime, please consider staying at 8.1 version and stop any plan for upgrading to later version until we have new information or update for this CVE.