Apache Log4j Vulnerability in NetApp Products [CVE-2021-44228]

Note : If your looking for our main article on the Apache Log4j vulnerability – click here

Multiple NetApp products incorporate Apache Log4j. Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability which when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Affected Products

  • Brocade SAN Navigator (SANnav)
  • Cloud Manager
  • ONTAP Tools for VMware vSphere
  • SnapCenter Plug-in for VMware vSphere

Products Not Affected

  • 7-Mode Transition Tool
  • AFF Baseboard Management Controller (BMC) – A700s
  • ATTO FibreBridge – 6500N
  • ATTO FibreBridge – 7500N
  • ATTO FibreBridge – 7600N
  • Active IQ Unified Manager for Linux
  • Active IQ Unified Manager for Microsoft Windows
  • Active IQ Unified Manager for VMware vSphere
  • Active IQ mobile app
  • Brocade Fabric Operating System Firmware
  • Cloud Data Sense
  • Cloud Insights Telegraf Agent
  • Cloud Volumes ONTAP Mediator
  • Clustered Data ONTAP
  • Clustered Data ONTAP Antivirus Connector
  • E-Series BIOS
  • E-Series SANtricity OS Controller Software 11.x
  • E-Series SANtricity Storage Manager
  • E-Series SANtricity Web Services (REST API) for Web Services Proxy
  • Element .NET SDK
  • Element HealthTools
  • Element JAVA SDK
  • Element Plug-in for vCenter Server
  • Element Powershell Tools
  • Element Python SDK
  • FAS/AFF BIOS
  • FAS/AFF Baseboard Management Controller (BMC) – 8300/8700/A400
  • FAS/AFF Baseboard Management Controller (BMC) – A250/500f
  • FAS/AFF Baseboard Management Controller (BMC) – A320/C190/A220/FAS2720/FAS2750/A800
  • Host Utilities – SAN for Linux
  • Host Utilities – SAN for Windows
  • Inventory Collect Tool
  • Management Services for Element Software and NetApp HCI
  • MetroCluster Tiebreaker for clustered Data ONTAP
  • NetApp Cloud Backup (formerly AltaVault)
  • NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in)
  • NetApp Converged Systems Advisor Agent
  • NetApp E-Series Performance Analyzer
  • NetApp HCI Baseboard Management Controller (BMC) – H300S/H500S/H700S/H300E/H500E/H700E/H410S
  • NetApp HCI Baseboard Management Controller (BMC) – H410C
  • NetApp HCI Baseboard Management Controller (BMC) – H610C
  • NetApp HCI Baseboard Management Controller (BMC) – H610S
  • NetApp HCI Baseboard Management Controller (BMC) – H615C
  • NetApp HCI Compute Node (Bootstrap OS)
  • NetApp HCI Compute Node BIOS
  • NetApp HCI Storage Node BIOS
  • NetApp Manageability SDK
  • NetApp NFS Plug-in for VMware VAAI
  • NetApp SANtricity SMI-S Provider
  • NetApp SMI-S Provider
  • NetApp SolidFire & HCI Management Node
  • NetApp SolidFire BIOS
  • NetApp SolidFire Plug-in for vRealize Orchestrator (SolidFire vRO)
  • NetApp SolidFire, Enterprise SDS & HCI Storage Node (Element Software)
  • NetApp Storage Encryption
  • NetApp XCP NFS
  • NetApp XCP SMB
  • NextGen API
  • ONTAP Mediator
  • ONTAP Select Deploy administration utility
  • OnCommand Insight
  • OnCommand Workflow Automation
  • Open Systems SnapVault Agent
  • SANtricity Unified Manager
  • SAS Firmware
  • SRA Plugin for Linux
  • SRA Plugin for Windows
  • Service Processor
  • Single Mailbox Recovery
  • Snap Creator Framework
  • SnapCenter
  • SnapDrive for Unix
  • SnapManager for Exchange
  • SnapManager for Hyper-V
  • SnapManager for Oracle
  • SnapManager for Oracle Windows
  • SnapManager for SAP
  • SnapManager for Sharepoint
  • SolidFire Storage Replication Adapter
  • Storage Services Connector
  • StorageGRID (formerly StorageGRID Webscale)
  • StorageGRID BIOS SG1000/SG100
  • StorageGRID BIOS SG5660/SG5612/SG5760/SG5712
  • StorageGRID BIOS SG6060/SGF6024
  • StorageGRID Baseboard Management Controller (BMC)
  • StorageGRID9 (9.x and prior)
  • System Manager 9.x
  • Trident

Workarounds

SnapCenter Plug-in for VMware vSphere:
1) Login to then Maintenance Console:
https://docs.netapp.com/us-en/sc-plugin-vmware-vsphere/scpivs44_manage_snapcenter_plug-in_for_vmware_vsphere.html#access-the-maintenance-console
2) Select option 4: “Support and Diagnostics”
3) Select option 2: “Access diagnostic shell”
4) Edit the two service init scripts listed below to include an additional flag in service startup as demonstrated:
a) In file /opt/netapp/init_scripts/scvservice add flag -Dlog4j2.formatMsgNoLookups=true to the java line as shown below:
java -jar -Dlog4j2.formatMsgNoLookups=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/core/scvservice/$(date +”%!d(MISSING)%!m(MISSING)%!y(MISSING)_%!H(MISSING)%!M(MISSING)%!S(MISSING)”).core -XX:OnOutOfMemoryError=’/opt/netapp/init_scripts/scvservice stop’ *.jar &
b) In file /opt/netapp/init_scripts/controlplane add flag -Dlog4j2.formatMsgNoLookups=true to the java line as shown below:
java -Xmx2048m -Dlog4j2.formatMsgNoLookups=true -Dserver.port=$RESTPORTNO -Dthrift.server.port=$THRIFTSERVERPORT -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/core/controlplane/$(date +”%!d(MISSING)%!m(MISSING)%!y(MISSING)_%!H(MISSING)%!M(MISSING)%!S(MISSING)”).core -XX:OnOutOfMemoryError=’/opt/netapp/init_scripts/controlplane stop’ -jar /opt/netapp/controlplane/*.jar &
5) After editing the files restart the services using the Maintenance Console Option 1 (Application Configuration)
a) Stop SnapCenter VMware plug-in service
b) Start SnapCenter VMware plug-in service

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section.

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

One thought on “Apache Log4j Vulnerability in NetApp Products [CVE-2021-44228]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: