Security Vulnerability CVE-2021-44228 (Log4Shell)

The information in this article is correct as of December 16th 2021.

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

The complete range of CTERA’s products and services have been checked for the Log4J2 Zero Day Vulnerably (also known as Log4Shell). The following CTERA security advisory describes the steps that are need to deal with this vulnerability.

Non-Affected CTERA Products

All versions of CTERA Edge Filer, CTERA Mobile, and CTERA Drive (Agent) are not affected.

Affected CTERA Products

The following describes the CTERA products that can be affected by the Log4Shell vulnerability and the steps required to remediate this vulnerability:

• CTERA Portal: CTERA Portals using a Preview Server are affected. Execute the following command on the preview server to mitigate the vulnerability:
  zip -q -d /usr/share/prizm/libs/javaservices/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  After running the above command restart the preview server: portal.sh pcc_restart
  Or, for portal versions below 6.1.1170: ctera.sh pcc_restart
• CTERA Portal Syslog Client: If the syslog client module is enabled on CTERA Portal 6.1 or later, there is a potential exposure to Denial of Service and information leakage, but no known exposure to remote code execution (RCE). Mitigation requires upgrading LogStash. To upgrade LogStash:
  • With Internet access, edit the following two files on each CTERA Portal server and change "version" from "7.6.0" to "7.16.1":
    /usr/local/ctera/data/syslog/logstash/Dockerfile
    /usr/local/lib/ctera/syslog/logstash/Dockerfile
    
    And then execute the following two commands:
    docker-compose -f /usr/local/lib/ctera/syslog/docker-compose.yml down
    docker-compose -f /usr/local/lib/ctera/syslog/docker-compose.yml up -d --build
    
    
  • If you do not have internet access, download the Syslog archive, exported_images.tar.gz from https://cti.ctera.com/invitations?share=73a5de8afeff17ca8b14, to a local folder on the portal machine and run the following commands on all servers (including main, Replica, DB, and Preview servers):
    portal-syslog-client load_images <images_archive_path> where images_archive_path is the path to the local folder where you copied the archive file.
    portal-syslog-client restart
    
    Or, for portal versions below 6.1.1170:
    ctera-syslog-client load_images <images_archive_path> where images_archive_path is the path to the local folder where you copied the archive file.
    ctera-syslog-client restart
• CTERA Insight: The CTERA Insight Proxy is affected. Execute the following commands on the CTERA Insight proxy server if you have Internet access:
  sed -i.bu_l4j 's|7.5.1|7.16.1|g' /opt/ctera/insight/deploy/proxy/docker-compose.yml
  docker-compose -f /opt/ctera/insight/deploy/proxy/docker-compose.yml --project-directory /opt/ctera/insight/deploy/proxy/ down
  docker-compose -f /opt/ctera/insight/deploy/proxy/docker-compose.yml --project-directory /opt/ctera/insight/deploy/proxy/ up -d --build
  
  If you do not have internet access, contact CTERA Support. 
• VMware vCenter: CTERA customers using VMWare vCenter are advised to check if their VMware environment is impacted, for more information refer to the VMware advisory VMSA-2021-0028.

For more information regarding this vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Related Articles

Vulnerability Remediation