OpenText product name changes coming to the community soon! Learn more.

Wikis - Page

Network Automation (NA) - Log4j CVE-2021-44228, CVE-2021-45105 impact update

1 Likes


Based upon analysis that Micro Focus has done regarding Network Automation (NA), NA is not impacted by CVE-2021-44228, CVE-2021-45105, CVE-2021-45046 & CVE-2021-44832

To CVE-2021-4104, reported as equal to CVE-2021-44228 in some sources, NA has never used the JMS Appender logic required. CVE-2021-4104 has later been deemed to be a local code execution issue.

NA ships log4j-core 2.x only in the following situation :

Embedded PostgreSQL Migration toolkit for customers using the embedded DB to migrate from PostgreSQL 9.5.x to PostgreSQL 12.x.

This toolkit is placed on the customer system at “<NA_HOME>/PgUpgrade/” (or equivalent path on Windows) only if the environment meets both the following criteria:

1. NA is using Embedded PostgreSQL and
2. NA had been upgraded from any release earlier than 2020.11 to any release >= 2020.11.

For customers who have this file placed on their system :
All customers can ignore it. NA is not impacted by this.
In-case there are concerns about scanners finding the JAR:
Those who have already upgraded their Postgres to 12.x, this tool is no longer needed. They can simply delete the package via the step: If the file exists, delete the file: <NA_HOME>/PgUpgrade/lib/log4j-core.jar (or equivalent path on Windows)
For customers yet to upgrade Embedded PostgreSQL to version 12.x, they can safely run the toolkit for the upgrade and then delete the file as indicated above once successfully upgraded.

Additional useful steps :
Steps to confirm version of PostgreSQL used in NA:
Login to NA UI.
NA UI -> Admin Menu -> System Status -> “Database Monitor” “run now” and in the output confirm the following strings:

Database type: Postgres
Database vendor: PostgreSQL
Database version: 12.X

Steps to check the version of NA:
Login to NA UI.
Help Menu -> About Network Automation

___________________________________________________________________________________

> For information about Containerized Components of NOM, see the bulletin:
NOM (Containerized) - log4j CVE-2021-44228, CVE-2021-45046
https://portal.microfocus.com/s/article/KM000003346

For the consolidated document of this potential vulnerability in the Apache log4j library used by Micro Focus(impacted and non-impacted ITOM products), please refer to
https://portal.microfocus.com/s/article/KM000003457

Article Body
Based upon analysis that Micro Focus has done regarding Network Automation (NA), NA is not impacted by CVE-2021-44228, CVE-2021-45105, CVE-2021-45046 & CVE-2021-44832

To CVE-2021-4104, reported as equal to CVE-2021-44228 in some sources, NA has never used the JMS Appender logic required. CVE-2021-4104 has later been deemed to be a local code execution issue.

NA ships log4j-core 2.x only in the following situation :

Embedded PostgreSQL Migration toolkit for customers using the embedded DB to migrate from PostgreSQL 9.5.x to PostgreSQL 12.x.

This toolkit is placed on the customer system at “<NA_HOME>/PgUpgrade/” (or equivalent path on Windows) only if the environment meets both the following criteria:

1. NA is using Embedded PostgreSQL and
2. NA had been upgraded from any release earlier than 2020.11 to any release >= 2020.11.

For customers who have this file placed on their system :
All customers can ignore it. NA is not impacted by this.
In-case there are concerns about scanners finding the JAR:
Those who have already upgraded their Postgres to 12.x, this tool is no longer needed. They can simply delete the package via the step: If the file exists, delete the file: <NA_HOME>/PgUpgrade/lib/log4j-core.jar (or equivalent path on Windows)
For customers yet to upgrade Embedded PostgreSQL to version 12.x, they can safely run the toolkit for the upgrade and then delete the file as indicated above once successfully upgraded.

Additional useful steps :
Steps to confirm version of PostgreSQL used in NA:
Login to NA UI.
NA UI -> Admin Menu -> System Status -> “Database Monitor” “run now” and in the output confirm the following strings:

Database type: Postgres
Database vendor: PostgreSQL
Database version: 12.X

Steps to check the version of NA:
Login to NA UI.
Help Menu -> About Network Automation

___________________________________________________________________________________

> For information about Containerized Components of NOM, see the bulletin:
NOM (Containerized) - log4j CVE-2021-44228, CVE-2021-45046
https://portal.microfocus.com/s/article/KM000003346

For the consolidated document of this potential vulnerability in the Apache log4j library used by Micro Focus(impacted and non-impacted ITOM products), please refer to
https://portal.microfocus.com/s/article/KM000003457

Labels:

Support Tips/Knowledge Docs
Comment List
Related
Recommended