DSA-2021-289: Dell EMC Cloud Disaster Recovery Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832)

Impact

Critical

Details

Affected Products and Remediation

Workarounds and Mitigations

Workarounds and Mitigations provided below are applicable only for versions 19.6.0.3 and 19.7.0.3.

For CDRA - On premise virtual machine:

1. SSH to CDRA VM using cdr user.

2. Create cdra_log4jfix.sh in /tmp/ directory with the following content:

3. Run the following commands:

• dos2unix /tmp/cdra_log4jfix.sh

• chmod +x /tmp/cdra_log4jfix.sh

• sudo /tmp/cdra_log4jfix.sh

For CDRS Deployed on cloud (AWS, AZURE, AWS GOV, or AZURE GOV)

1. Log in to the CDRS VM over SSH. For assistance in accessing CDRS over SSH, contact Dell Support.

2. Create cdrs_log4jfix.sh in /tmp/ directory with the following content:

#! /bin/sh
cdr_backup()
{
  mkdir -p /tmp/cdr_backup
  cp /home/cdr/executable /tmp/cdr_backup/executable.bak
  cp /home/cdr/resources/restore_service.tar.gz /tmp/cdr_backup/restore_service.tar.gz.bak
  cp /home/cdr/lib/cdrs_main.jar /tmp/cdr_backup/cdrs_main.jar.bak
}
update_executable()
{
  echo "Updating CDRS executable."
  sed -i 's/=CDRS/=CDRS -Dlog4j2.formatMsgNoLookups=true/g' /home/cdr/executable
}
update_restore_service()
{
  L_CDR_VER=$1
  echo "Updating restore_service.jar."
  BASE_PATH=/home/cdr/resources
  cd $BASE_PATH
  gunzip restore_service.tar.gz
  tar -xvf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  if [[ ${L_CDR_VER} =~ 19\.[6-9] ]]; then
     zip -q -d lib_${L_CDR_VER}/restore_service.jar shadow/org/apache/logging/log4j/core/lookup/JndiLookup.class
  fi
  zip -q -d lib_${L_CDR_VER}/restore_service.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  tar --delete -f restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  tar -uf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  rm -rf lib_${L_CDR_VER}
  gzip restore_service.tar
}
update_cdrs_main()
{
  echo "Updating cdrs_main.jar."
  LOG4J_JAR_FILE_LOCATION=BOOT-INF/lib/log4j-core-2.13.2.jar
  echo "Stopping CDR service."
  sudo service cdrd stop
  cd /home/cdr/lib/
  mkdir -p BOOT-INF/lib
  unzip -p cdrs_main.jar $LOG4J_JAR_FILE_LOCATION > $LOG4J_JAR_FILE_LOCATION
  zip -q -d $LOG4J_JAR_FILE_LOCATION org/apache/logging/log4j/core/lookup/JndiLookup.class
  zip -u -0 -n *.jar cdrs_main.jar $LOG4J_JAR_FILE_LOCATION
  rm -rf BOOT-INF
  echo "Starting CDR service. This may take a few minutes."
  sudo service cdrd start
  for i in {1..10}
  do
    sleep 30
    echo "Checking CDR service status..."
    RESP_CODE=$(curl -kfsL -o /dev/null -w '%{http_code}' -X GET https://localhost/rest/cdr-version -H "accept: application/json")
    if [[ "$RESP_CODE" == 200 ]]; then
      echo "CDR service started successfully."
      return 0
    fi
  done
  echo "Failed to run CDR service. Please contact Dell Support."
  exit 1
}
main()
{
   cdr_backup
   CDR_VER=$(curl -s -X GET https://localhost/rest/cdr-version -H "accept: application/json" -k)
   echo "CDR version is : $CDR_VER"
   if [[ $CDR_VER =~ 19\.[6-9] ]]; then
      update_executable
      update_restore_service $CDR_VER
      update_cdrs_main
    elif ([[ $CDR_VER =~ 19\.[2-5] ]] || [[ $CDR_VER =~ 19\.1\.[0-9] ]]); then
      update_restore_service $CDR_VER
    else
      echo "This script is applicable only for CDR versions between 19.1 and 19.9."
      exit 1
    fi
    rm -rf /tmp/cdr_backup
}
main

3. Run the following commands:

• dos2unix /tmp/cdrs_log4jfix.sh
• chmod +x /tmp/cdrs_log4jfix.sh
• sudo /tmp/cdrs_log4jfix.sh

Revision History

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide