NetIM 2.x : Mitigation for Apache's Log4j Exploit (CVE-2021-44228 and CVE-2021-45046)

NetIM 2.x : Mitigation for Apache's Log4j Exploit (CVE-2021-44228 and CVE-2021-45046)

On Dec 9, a remote code execution vulnerability in Apache log4j was announced.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
 

The fix for CVE-2021-44228 and CVE-2021-45046 vulnerability is available in form of NetIM Virtual Appliance Edition GA 2.4.0-patch1.

In order to install the patch release, NetIM must be running version 2.4.0. If you are running earlier version of NetIM, please update to 2.4.0 first and then install the below patch.

Kindly refer to Riverbed Support Site to determine the appropriate update path and download the respective iso's to update to 2.4.0. 

Example : Update path from 2.1.0 to 2.4.0:

2.1.0  →  2.2.0  →  2.3.0  →  2.3.1  →  2.4.0 

Images published at:

• netim_core_update_240_1189.iso - https://support.riverbed.com/bin/support/download?sid=tu2c2j02gkrrg288jkj3vulvfq (Checksum : netim_core_update_240_1189.sha256 )
• netim_microservices_update_240_1294.iso - https://support.riverbed.com/bin/support/download?sid=om5vvblfbtaarkvb2b1be8luth (Checksum : netim_microservices_update_240_1294.sha256 )

Deploying the NetIM ISO 2.4.0-patch1 updates to an existing NetIM 2.4.0 installation

1. Download the two update ISO :

•         Two ISO files are provided:

 
2. Upload the microservices update ISO file to your NetIM 2.4.0 manager VM’s update folder (/home/netimadmin/update) by using the scp command on Linux or an application such as WinSCP on Windows.

•         Linux scp command example:

3. After the upload of the microservices update ISO file has successfully completed, login to the NetIM manager VM as netimadmin and run the command "update”.

4. Follow the instructions provided by the “update” command and enter the requested input to complete the update of the NetIM manager, worker(s), and data managers.

5. After successful completion of the update process on all swarm components, you will be asked if you want to delete the Microservices Update and informed that the update requires a reboot of the system. After the system reboots, all swarm services will start automatically.

6. (Optional) After completing your update to NetIM 2.4.0-patch1 microservices and ensuring that all required swarm services are up, you can optionally run the following script on the NetIM 2.4.0-patch1 swarm manager to remove any stale model components that may have accumulated in prior releases:

•         While logged in to your swarm manager as netimadmin in the netimsh shell, drop into the bash shell by entering:

•         Change to the common directory by entering:

•         Execute the reset and remap script by entering:

The core model will be remapped to current model components and any stale model components will be removed from Elasticsearch index.  When complete, the script will print out a message that the “Remap process has completed.”

•         Exit from the bash shell and return to the netimsh by entering:

7. Upload the core update ISO file to your NetIM 2.4.0 core VM’s update folder (/home/netimadmin/update) by using the scp command on Linux or WinSCP on Windows.

•         Linux scp command example.

8. After the upload of the core update ISO file has completed, login to the NetIM core VM as netimadmin and run the command "update".

9. Follow the instructions and enter the required input to complete the update of NetIM core.

10. After successful completion of the update process on core, you will be asked if you want to delete the Core Update and informed that the update requires a reboot of the system. After the system reboots, all swarm services will start automatically.

11. You can now login to NetIM by pointing your browser to https://<netim-core-hostname or IP address>:8543.

Note:  Log files generated by the swarm microservices and core update processes are stored in the /home/netimadmin/update/log/<iso_file_name>.log directory.