UCXpert : Mitigation for Apache's Log4j Exploit (CVE-2021-44228 , CVE-2021-45046, CVE-2021-45105)

Categories:
UCExpert (Unified Communications Xpert)
Solution Number:
S35646
Last Modified:
2021-12-21
Solution
Log4j2 is used in UCX release 7.6 - Software Fix addresses CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 and is available (as of Dec. 20, 2021). Until it is publicly available on support site, you can download the patch from the attachment sections in this KB Article.

Please find below the directions on how to apply the patch. (The zip file also contains a README file with directions on how to apply the patch.)

1. Unzip the attachement and upload all 3 jar files to /tmp directory -
log4j-1.2-api-2.17.0.jar,
log4j-api-2.17.0.jar,
log4j-core-2.17.0.jar

2. Stop services:
service ucxpert stop

3. Delete existing log4j jars:
rm /opt/ucxpert/tomcat/lib/log4j-1.2-api-2.14.0.jar
rm /opt/ucxpert/tomcat/lib/log4j-api-2.14.0.jar
rm /opt/ucxpert/tomcat/lib/log4j-core-2.14.0.jar

4. Copy new log4j jars:
cp /tmp/log4j-1.2-api-2.17.0.jar /opt/ucxpert/tomcat/lib
cp /tmp/log4j-core-2.17.0.jar /opt/ucxpert/tomcat/lib
cp /tmp/log4j-api-2.17.0.jar /opt/ucxpert/tomcat/lib

5. Update ownership:
chown ucxpert:ucxpert /opt/ucxpert/tomcat/lib/log4j*.jar

6. Restart services:
service ucxpert start

NOTE: Prior to release 7.6, Log4j 1.x was used and which is mentioned in : https://cve.report/CVE-2021-4104
CVE-2021-4104 mentions that this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
Even though UCX versions prior to  7.6 used Log4j 1.x, they are not configured to use the JMSAppender and therefore not vulnerable.
Environment
Steelcentral UCExpert
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105
Log4j Vulnerability
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case