All log4j and its .jar files, and their vulnerabilities including CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2022-23305

This Security Knowledge Base KB article provides additional details and remediation to the RSA Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228) published on RSA Community.

Authentication Manager and its Web Tiers use a custom version of log4j, log4j-1.2.12rsa-2.jar.  Authentication Manager and its Web Tiers do not use an impacted version of log4j2 and therefore do not need any of the standard log4j .jar files from Oracle, therefore those files could be deleted, e.g. log4j_2.11.1.0.0.jar, log4j-1.2.17.jar and log4j-1.2.16.jar.

RSA only uses a customized version .jar file, log4j-1.2.12rsa-2.jar that eliminates unnecessary and vulnerable features of log4j 1.x, and includes other fixes from the open source community for log4j, making the RSA version not vulnerable to any known issue.  Specifically:

1. CVE-2021-44228 says that exploitable LDAP and JNDI lookups can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath. However, this exploitable lookup capability was not even available in log4j1 or RSA's log4j-1.2.12rsa-2.jar, therefore the RSA Engineering response is that the flaw does not exist.

2. CVE-2021-45046 says that exploitable behavior can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath.  However this exploitable JndiLookup class capability was not even available in any version of log4j1 including RSA's log4j-1.2.12rsa-2.jar, therefore RSA Engineering response is that the flaw does not exist.

3. The RSA version log4j-1.2.12rsa-2.jar does not include the JMSAppender class (which is in Apache log4j 1.2.17 and log4j ver. 2 files) so is not vulnerable to any deserialization of untrusted data that was broadly reported through CVE-2021-4104

4. The RSA log4j-1.2.12rsa-2.jar version does not use the SocketServer class, does not open any remote port/socket for any external connections that could pass error messages and therefore is not vulnerable to any deserialization of untrusted data over remote logging connections, as reported in CVE-2019-17571

5. As far as editing or removing classpaths, Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data.  As stated above No SecurID components utilize the affected SocketServer class, re: CVE-2019-17571.  JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write-access to the Log4j configuration, re: CVE-2021-4104. No SecurID components utilize the affected JMSAppender class. Requires the threat-actor have root privilege (i.e., write access to server files).
   
   Therefore CVE-2019-17571 & CVE-2021-4104 are not vulnerabilities for AMIS, Web Tier or Authentication Manager and any reference to SocketServer, net/JMSAppender.class and net/SocketServer.class can be removed.

6. The RSA log4j-1.2.12rsa-2.jar version does not include the JDBCAppender class and therefore is not vulnerable to SQL manipulation attacks, as reported in CVE-2022-23305
    

Authentication Manger, Web Tier and AMIS / AM Prime (PSAMIS-556) all use RSA log4j-1.2.12rsa-2.jar, which is not vulnerable.

For AM 8.6 P2, changes have been made to remove these files as part of the upgrade, so no manual steps are necessary for P2.

For AM 8.6 P1, see the Engineering document AM-86-P1-Log4J2-File-Removal-Instructions.docx, which explains how to delete these files.

Removing Log4J 2.x libraries from SecurID Authentication Manager 8.6 P1

Article Number
000067862

Applies To

• RSA Product Set: SecurID
• RSA Product/Service Type: Authentication Manager
• RSA Version/Condition: 8.6 Patch 1

Issue
This article provides information on how to manually remove embedded log4j library files from SecurID Authentication Manager 8.6 Patch 1. This version contains copies of the libraries that could be identified as being vulnerable as mentioned in RSA Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228). The Log4j2 files have the following names:
 

• /opt/rsa/am/appserver/wls/oracle_common/modules/thirdparty/log4j-2.11.1.jar
• /opt/rsa/am/appserver/wls/.patch_storage/.../log4j-2.11.1.jar

Depending on the upgrade history, one or more copies of the file may be located within the “.patch_storage” directory.

Task
The following steps remove the log4j-2 files from SecurID Authentication Manager:

1. Make sure you have an up-to-date backup file or virtual machine snapshot.
2. Enable secure shell (SSH) access to your Authentication Manager appliance through the SecurID Operations Console.
3. Use SSH to log on to the appliance as  ‘rsaadmin’.
4. The following commands change to the server directory and remove the unused Log4j2 files:

cd /opt/rsa/am/appserver/wls
find . -name log4j-2.11.1.jar -type file -exec rm -i {} \;

The second command locates and requires you to confirm the removal of one or more copies of the library. These may be present depending on the update history. Note the syntax of the command carefully.

On web-tier servers, the location of the files is relative to the installation directory instead of “/opt/rsa/am”.

5. Log out from SSH and disable SSH access in the SecurID Operations Console.

Notes:

• The server does not need to be restarted; the files are not used.
• The above tasks need to be repeated on each replica instance and web-tier server.

Resolution

The Log4j2 files are no longer present on SecurID Authentication Manager.

References

• RSA Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228): https://community.rsa.com/t5/general-security-advisories-and/rsa-customer-advisory-apache-vulnerability-log4j2-cve-2021-44228/ta-p/660501