Summary

Security Advisory ID : BSA-2021-1651

Component : Apache Log4j

Revision : 4.0

Brocade Security has become aware of Apache Log4j version 2.x remote code execution vulnerability (CVE-2021-44228). Additional vulnerabilities (CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832) have also been identified following the initial disclosure. BSA-2021-1651 provides Brocade's statement for CVE-2021-44228 and CVE-2021-45046. Additional Security advisories are published to provide statements for CVE-2021-45105 and CVE-2021-44832.

Note: Applications using Log4j 1.x are only vulnerable to the attack identified by CVE-2021-44228 when they are specifically configured to use JMSAppender, which is not the default. A separate CVE (CVE-2021-4104) describes this vulnerability. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. Brocade Security Advisory BSA-2021-1652 provides detailed information about CVE-2021-4104.

Note: Log4j 1.x is not impacted by CVE-2021-45046 or CVE-2021-45105

More information can be found at the following links:

• Apache Log4j Security Vulnerabilities Page - https://logging.apache.org/log4j/2.x/security.html 
• CVE-2021-44228 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 
• CVE-2021-45046 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 
  
• Vulnerability note VU#930724 -- https://www.kb.cert.org/vuls/id/930724

Brocade has investigated its product line to determine the exposure of Brocade Fibre Channel products from Broadcom.

Products Confirmed Not Vulnerable

• Brocade Active Support Connectivity Gateway All versions  - Not affected.
• Brocade Fabric OS versions 9.x – Not affected.
  
• Brocade Fabric OS versions 8.x and 7.4.x – Not Affected.
• Brocade EZSwitch versions 8.x and 9.x – Not Affected. 
• Brocade AMPOS versions 2.x and 3.x - Not Affected.
  

Note: Older versions of Brocade Fabric OS (8.x and 7.4.x), all versions of Brocade Network Advisor, and EZSwitch versions 8.x and 9.x all contain a modified Log4j 1.x component. However, the JMS Appender class is not used in any Brocade product. Based on available information at the time of this announcement from Apache and Log4j maintainers, the Log4j 1.x code used by these products is not vulnerable. Brocade continues to monitor all sources of information related to these vulnerabilities.

Affected Products

• Brocade SANnav v2.0.0 through v2.2.0 - Affected.

The Brocade SANnav Management Portal and the Brocade Global View products do not directly use Log4j, but other open source and third-party modules used by Brocade SANnav do call and contain Log4j code. Brocade SANnav does not expose direct access to these services, and the Brocade SANnav may not be exploitable.

Updated remediation steps (updated guidance provided on 3/02/2022)

For Brocade SANnav v2.2.0

Brocade has released a new security update as a patch that should be applied on top of SANnav v2.2.0. This patch will update all open source components that utilize log4j 2.x code to use the latest version of log4j 2.x (version 2.17.1).

In addition, this patch will remove all potentially vulnerable log4j 1.x class objects from the Brocade SANnav code. The full list of classes being removed by this patch is: JndiLookup, JMSAppender, JDBCAppender, JMSSink, Chainsaw, SMTPAppender, and SocketServer classes. While these class objects were not configured nor accessible within the SANnav product, the removal of these class objects will fully remediate against any potential exploit due to the code being present.

After installing the security update patch, a restart of the SANnav will be required for the updates to take effect. However, after installing the security update patch, any future restart or other activity will not require the user to re-apply the patch nor any scripts to remove potentially vulnerable objects, the effect of the security update patch will be permanent.

Brocade continues to monitor for further clarification from all upstream vendors. Brocade will provide additional updates as required. Applying this new security update patch replaces any previous remediation steps.

Brocade SANnav Management Portal v2.2.0

• Patch: Portal_2.2.0.1.tar.gz
• Release Notes: Portal_2.2.0.1_releasenotes_v1.0

Brocade SANnav Global View v2.2.0

• Patch: Global_2.2.0.1.tar.gz
• Release Notes: Global_2.2.0.1_releasenotes_v1.0

For Brocade SANnav v2.1.1

Brocade has released a new security update as a patch that should be applied on top of SANnav v2.1.1. This patch will remove all potentially vulnerable log4j 1.x and log4j 2.x class objects from the Brocade SANnav code. The full list of classes being removed by this patch is: JndiLookup, JMSAppender, JDBCAppender, JMSSink, Chainsaw, SMTPAppender, and SocketServer classes. While these class objects were not configured nor accessible within the SANnav product, the removal of these class objects will fully remediate against any potential exploit due to the code being present.

After installing the security update patch, a restart of the SANnav will be required for the updates to take effect. However, after installing the security update patch, any future restart or other activity will not require the user to re-apply the patch nor any scripts to remove potentially vulnerable objects, the effect of the security update patch will be permanent.

Brocade continues to monitor for further clarification from all upstream vendors. Brocade will provide additional updates as required. Applying this new security update patch replaces any previous remediation steps.

Brocade SANnav Management Portal v2.1.1

• Patch: Portal_2.1.1.7.tar.gz
• Release Notes: Portal_2.1.1.7_releasenotes_v1.0

Brocade SANnav Global View v2.1.1

• Patch: Global_2.1.1.2.tar.gz
• Release Notes: Global_2.1.1.2_releasenotes_v1.0

Vulnerabilities scanners may still indicate potential vulnerabilities after applying the provided security update patches due to the log4j version of the libraries still being present within the Brocade SANnav. These vulnerabilities are addressed by the patches as all potentially vulnerable class objects have been removed. While most scanners will indicate the related SANnav files as “MITIGATED”, some scanners may continue to warn against these known vulnerabilities.

Previous remediation steps (Prior 3/02/2022)

Brocade has released a set of scripts that can be applied to SANnav 2.1.1 or SANnav 2.2.0. These scripts will remove the JndiLookup class from the Log4j .jar files contained within Brocade SANnav. Versions of Brocade SANnav prior to v2.1.1 will first need to be upgraded to Brocade SANnav 2.1.1 or 2.2.0 before applying the recommended remediation script.

A “v2” of the provided scripts has been created that will also remove the JMSAppender and JDBCAppender class from the Log4j .jar files contained within Brocade SANnav. While the Brocade SANnav product does not configure nor use the JMSAppender and JDBCAppender class code, any customer that wishes to remove these classes from the Log4j .jar files can do so by utilizing the latest “v2” scripts provided by Brocade.

Customers that have previously applied the original script may elect to apply this second version of the script to remove the unused Appender classes from the Log4j .jar files. Customers that have previously not applied the original version of the script are strongly encouraged to apply the “v2” script to remove all three classes including the JndiLookup class from the Log4j .jar files.

Solution: Download the instructions and script file for the version of the Brocade SANnav product in use.

The instructions and script files are available for download and can be found in the location where the Brocade SANnav software is posted for download.

Brocade SANNav Management Portal version 2.1.1

• Instructions: Portal_2.1.1_BSA2021_1651_releasenotes_v2.0.pdf
• Script file: Portal_2.1.1_BSA2021_1651_v2.tar.gz

Brocade SANNav Global View version 2.1.1

• Instructions: Global_2.1.1_BSA2021_1651_releasenotes_v2.0.pdf
• Script file: Global_2.1.1_BSA2021_1651_v2.tar.gz

Brocade SANNav Management Portal version 2.2.0

• Instructions: Portal_2.2.0_BSA2021_1651_releasenotes_v2.0.pdf
• Script file: Portal_2.2.0_BSA2021_1651_v2.tar.gz

Brocade SANNav Global View version 2.2.0

• Instructions: Global_2.2.0_BSA2021_1651_releasenotes_v2.0.pdf
• Script file: Global_2.2.0_BSA2021_1651_v2.tar.gz

These scripts are no longer required if the new remediation step instructing the installation of security update patches is followed.

Revision History