Which ArcSight products are vulnerable to the CVE?
What is the Patch Release Program or Mitigation for the topic?
Cybersecurity
DevOps Cloud
IT Operations Cloud
Which ArcSight products are vulnerable to the CVE?
What is the Patch Release Program or Mitigation for the topic?
I got an answer from the ESM support how to mitigate this:
--------------------------------
As per your request, please be informed that only ESM 7.5 is impacted, pre-ESM 7.5 release versions are NOT impacted by this CVE.
Please follow the guidelines below to help mitigate this vulnerability on only ESM 7.5:
0. For ESM compact mode, please apply the steps on manager node. For ESM distributed mode, please apply the steps on all nodes
1. /etc/init.d/arcsight_services stop all
2. cd to $ARCSIGHT_HOME and do a find . -name 'log4j-core*.jar' (In ESM, the location is /opt/arcsight/manager/lib/modules/log4j-core-2.13.3.jar)
3. cd to directory where log4j-core* is present
4. Backup log4j-core-*.jar to a different location e.g. $ARCSIGHT_HOME/CVE-2021-44228
5. Unzip log4j-core-*.jar to verify the presence of JndiLookup class. (The below command will output the class)
a. unzip -t log4j-core-*.jar | grep -i jndilookup
6. Delete the file using this command
a. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
7. Unzip the file again to see to confirm that the file is removed. (No output will be displayed)
a. unzip -t log4j-core-*.jar | grep -i jndilookup
8. /etc/init.d/arcsight_services start all
Kindly note that only ESM mitigation steps have been approved by our security team. The other ArcSight products are still undergoing testing
----------------------------
I got an answer from the ESM support how to mitigate this:
--------------------------------
As per your request, please be informed that only ESM 7.5 is impacted, pre-ESM 7.5 release versions are NOT impacted by this CVE.
Please follow the guidelines below to help mitigate this vulnerability on only ESM 7.5:
0. For ESM compact mode, please apply the steps on manager node. For ESM distributed mode, please apply the steps on all nodes
1. /etc/init.d/arcsight_services stop all
2. cd to $ARCSIGHT_HOME and do a find . -name 'log4j-core*.jar' (In ESM, the location is /opt/arcsight/manager/lib/modules/log4j-core-2.13.3.jar)
3. cd to directory where log4j-core* is present
4. Backup log4j-core-*.jar to a different location e.g. $ARCSIGHT_HOME/CVE-2021-44228
5. Unzip log4j-core-*.jar to verify the presence of JndiLookup class. (The below command will output the class)
a. unzip -t log4j-core-*.jar | grep -i jndilookup
6. Delete the file using this command
a. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
7. Unzip the file again to see to confirm that the file is removed. (No output will be displayed)
a. unzip -t log4j-core-*.jar | grep -i jndilookup
8. /etc/init.d/arcsight_services start all
Kindly note that only ESM mitigation steps have been approved by our security team. The other ArcSight products are still undergoing testing
----------------------------
Case responds for SmartConnector 8.1:
Regard to your concern, please be informed that Smart connector version 8.1 does not affected by CVE-2021-44228. However, smart connector version 8.2 is currently under our investigation and might be affected.
Our security and dev team are aware of this CVE and currently working on it.
In the meantime, please consider staying at 8.1 version and stop any plan for upgrading to later version until we have new information or update for this CVE.
Case responds for Logger 7.0:
Please be informed that Logger 7.0 is not affected by CVE-2021-44228. However, logger version 7.2 and higher version might be affected
Our internal team are aware of this CVE and currently working on it. In the meantime, please avoid unnecessary upgradation until we have new update regard to this.