Vertica Potential Security Vulnerability Apache log4j CVE-2021-44832

Vertiguy

SUPPORT COMMUNICATION - SECURITY BULLETIN

Potential Security Impact: remote code execution

VULNERABILITY SUMMARY

A potential vulnerability has been identified: Apache log4j library used by Vertica Server.

The vulnerability could be exploited to allow remote code execution.

CVE References: CVE-2021-44832

SUPPORTED SOFTWARE VERSIONS:

Vertica Server – all versions

CVSS Version 3.1 Metrics:

Reference V3.1 Vector V3.1 Base Score
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832

RESOLUTION:

Vertica Server

Notes: These patches are cumulative of all 4 of the CVEs.

Apply Patch

Two components in the Vertica product contain a vulnerable version of the log4j library: the Management Console (MC) and the Kafka scheduler. The following list of patches contain fixes of both components. Vertica versions currently under Committed Support and available for download (10.0.1-19, 10.1.1-14, and 11.0.2-2) Unsupported Vertica versions patched and available for download (9.2.1-28 and 9.3.1-31). Vertica Patches are available on the SLD Site: https://sld.microfocus.com/mysoftware/index. the 9.2.1-28 is available only on SFTP site (sftp.vertica.com). if you need credentials please contact Vertica Technical Support.

As part of a comprehensive patch, customers using HCatalog features are advised to update the log4j version on their Hadoop cluster and re-execute the hcatUtil utility as detailed in the workaround below.

Workaround

The workaround can be applied in situations when upgrading to the patched version is impossible or in the interim period waiting for the patch. The workaround involves individually addressing each of the instances of the vulnerable versions of the log4j library by removing the JndiLookup.class file from the log4j-core-*.jar file as recommended by Apache. These steps are universal across Vertica versions.

On every database server node, update the Kafka scheduler .jar to remove the vulnerable class.
This file used by the server's kafka scheduler was added in Vertica 7.2. If customers are on 7.1 or earlier this file will not exist and there is no action needed. Customers on 7.2 and later should run the zip command below. This step is performed as the Vertica dbadmin Linux user.

zip -q -d /opt/vertica/packages/kafka/lib/log4j-core*.jar \

org/apache/logging/log4j/core/lookup/JndiLookup.class
On the MC node, there is a copy of the Kafka scheduler used by the Management Console. Update this as well to remove the vulnerable class.
The jar file included in the MC was added in Vertica 8.0. If customers are using MC on 7.2 or earlier this file will not exist and there is no action needed. Customers on 8.0 MC and later should run the zip command below. This step is performed as the MC Linux admin user.
zip -q -d /opt/vconsole/vendor/vertica/kafka/lib/log4j-core*.jar \

org/apache/logging/log4j/core/lookup/JndiLookup.class 

On the MC node, there is also a copy of log4j bundled in the webui.war file. This is extracted at runtime to supply the web assets. The webui.war file should be updated to remove the vulnerable class, then the temp directory should be purged and the MC restarted so that the new assets are extracted and used.
This is applicable for MC versions 9.3 and later. MC version 9.2 and earlier uses version 1.x of the log4j library which is not vulnerable. There will still be a webui.war file on all versions of the MC, but edits are only needed for 9.3 and later. This step is performed as the MC Linux admin user.

mkdir /tmp/war

cd /tmp/war

cp /opt/vconsole/lib/webui.war .

unzip -o webui.war

zip -q -d WEB-INF/lib/log4j-core*.jar \

org/apache/logging/log4j/core/lookup/JndiLookup.class

zip -r -u webui.war WEB-INF

sudo /etc/init.d/vertica-consoled stop

cp webui.war /opt/vconsole/lib/webui.war

rm -rf /opt/vconsole/temp/*

sudo /etc/init.d/vertica-consoled start
On every database node, check for the existence of log4j in the /opt/vertica/packages/hcat/lib/ directory. These are imported libraries downloaded from a connected Hadoop cluster. Update the libraries on that Hadoop cluster and then follow the Vertica documentation for “Configuring Vertica for HCatalog” to re-configure Vertica with the new log4j library. This will involve running the /opt/vertica/packages/hcat/tools/hcatUtil and recompiling the HCatalog connector.

On cloud images published by Vertica, a file /var/opt/vconsole/MCClient.jar exists that is used to initially configure the MC. This file contains a vulnerable version of log4j but is not necessary once the cloud instance has already been launched. This file should be deleted if it exists.

Vertica Accelerator (Vertica as a Service)

Vertica Accelerator is not impacted by this vulnerability.