Summary

Security Advisory ID : BSA-2022-1680

Component : Apache Log4j

Revision : 2.0

CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accessed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23305 is a high severity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.

CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be exploited.

CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Affected Products

• Brocade SANnav v2.0.0 through v2.2.0 - Affected
• Brocade EZSwitch versions 8.x and 9.x – Affected

Products Confirmed Not Vulnerable

• No Other Brocade Fibre Channel Products from Broadcom are currently known to be affected by these vulnerabilities.

Brocade believes that the risk for Brocade SANnav is extremely low.

The Brocade SANnav Management Portal and the Brocade Global View products do not directly use Log4j, but other open source and third-party modules used by Brocade SANnav do call and contain Log4j code. The identified vulnerable class objects are not configured, nor are they used within the Brocade SANnav product.

While Brocade SANnav is believed to not be exploitable, Brocade has released a set of new security updates available as patches that should be applied on top of SANnav v2.2.0 or v2.1.1. These patches remove all potentially vulnerable Log4j 1.x class objects identified in the CVEs noted above. The classes being removed by these patches are: JndiLookup, JMSAppender, JDBCAppender, JMSSink, Chainsaw, SMTPAppender, and SocketServer classes. While these class objects were not configured nor accessible within the SANnav product, the removal of these class objects will fully remediate against any potential exploit due to the code being present.

After installing a security update patch, a restart of SANnav will be required for the updates to take effect. However, after installing a security update patch, any future restart or other activity will not require the user to re-apply the patch nor any scripts to remove potentially vulnerable objects.

Brocade continues to monitor for further clarification from all upstream vendors. Brocade will provide additional updates as required. Applying the latest SANnav security update patch replaces any previous remediation steps.

Brocade SANnav Management Portal v2.1.1

• Patch: Portal_2.1.1.7.tar.gz
• Release Notes: Portal_2.1.1.7_releasenotes_v1.0

Brocade SANnav Global View v2.1.1

• Patch: Global_2.1.1.2.tar.gz
• Release Notes: Global_2.1.1.2_releasenotes_v1.0

Brocade SANnav Management Portal v2.2.0

• Patch: Portal_2.2.0.1.tar.gz
• Release Notes: Portal_2.2.0.1_releasenotes_v1.0

Brocade SANnav Global View v2.2.0

• Patch: Global_2.2.0.1.tar.gz
• Release Notes: Global_2.2.0.1_releasenotes_v1.0

Vulnerability scanners may still indicate potential vulnerabilities after applying the provided security update patches due to the Log4j version of the libraries still being present within the Brocade SANnav. These vulnerabilities are addressed by the patches as all potentially vulnerable class objects have been removed. While most scanners will indicate the related SANnav files as “MITIGATED”, some scanners may continue to warn against these known vulnerabilities.

Brocade believes that the risk for Brocade EZSwitch is extremely low.

Brocade EZSwitch is believed to not be exploitable, however, Brocade will release a security script for the EZSwitch v9.1.0 product offering that can be used to remove all potentially vulnerable class objects from the EZSwitch code. The full list of classes being removed by this script is: JndiLookup, JMSAppender, JDBCAppender, JMSSink, Chainsaw, SMTPAppender, and SocketServer classes. While these class objects were not configured nor accessible within the EZSwitch product, the removal of these class objects will fully remediate against any potential exploit due to the code being present.

Note: EZSwitchSetup 9.1.0 does not use Log4j 2.x

A Brocade EZSwitch log4j script removes the following Java classes from the Log4j 1.x jars in EZSwitchSetup code to eliminate any possible exploits. By removing these classes, EZSwitchSetup code is fully remediated against all currently known Log4j 1.x vulnerabilities.

• JMSAppender.class
• JDBCAppender.class
• JMSSink.class
• Chainsaw package (All classes within this package are removed)
• SMTPAppender.class
• SocketServer.class

Note: EZSwitchSetup does not use these classes and is deemed not vulnerable even if present. 

Installation Instructions

**Important Notes:

1. Close all the instances of the EZSwitchSetup application before running this script
2. The script must be executed with the Administrator role

Steps:

1. Copy the "fix_log4j_vulnerability.zip" file to "<EZSwitchSetup_Home>" folder.
2. Extract it in the same location.
3. Make sure that the fix-log4j-vulnerability.bat, zip.exe, unzip.exe files are placed under the "<EZSwitchSetup_Home>" folder.
4. Open command prompt and navigate to "<EZSwitchSetup_Home>".
5. Type fix-log4j-vulnerability.bat and hit enter.
6. If any error encountered, please share the fix-log4j-vulnerability_<DateTime>.log file which will be present under <EZSwitchSetup_Home>" folder.

Revision History