SZ and vSZ - Steps to Implement CVE-2021-44228 log4j2 Patch

Summary

v/SZ patch and steps to implement for CVE-2021-44228 log4j2

Question

How to download and implement patch for vSZ CVE-2021-44228 log4j2 ?

Customer Environment

v/SZs on 5.x and 6.0

Root Cause

vSZ 5.x and above uses log4j version 2.8.2 and 2.11.1 which are impacted.

Resolution

Please refer to following steps to apply KSP for 5.x and above: 

Note: The downloaded file will be in zip format. Please make sure to unzip the downloaded file first. The resultant file after unzipping should end with .ksp.

  • On macOS the native built-in archive utility by default will hierarchically extract the zipped patch/ksp into 3 files (digital_sig.bin, signing_cert.pem and the *.ksp file) and the KSP would not be applied correctly on the controller (display invalid file). You can either set the MACOS 'archive utility' preferences to turn off 'keep expanding if possible' flag or run unzip from the shell. After a correct unzip, a single *.ksp file should result and this can be successfully uploaded into the controller.

Step 1: Cluster Backup is always required before apply any KSP. 
 
       
1. Navigate to Administration >> Backup and Restore
       2. Under "Cluster" tab, click "Back up Entire Cluster" and Select Yes
       3. Once the backup is taken successfully, proceed to Step 2

Step 2: Upload the script to the v/SZ node from GUI:

  1. Diagnostics >> Scripts >> Patch/Diagnostics Scripts (For 5.0+)
  2. Monitor >> Troubleshooting & Diagnostics >> Scripts >> Patch/Diagnostics Scripts (For 6.0)
  3. Click on the diagnostic scripts tab from the left-hand menu
  4. Click the browse button under Upload diagnostic script to vSZ , select the KSP file attached, and upload it.

Upon successful upload, the script ("script name ") will be visible in the section below the "upload" section.

Step 3: Execute the script on the vSZ node's CLI:

1. Connect to the SCG CLI, enter the "enable" and later "patches" mode. Below is an example of the script to execute on 5.2(Please check the correct KSP before applying it as per your code)
 

Ruckus> en
Password: ********

Ruckus# patches

Ruckus(patches)# apply ER10935_fix_log4j_856364
Start Patching the System...

INFO : Using a default root directory : /tmp/tmp.HPCRanSP8i

/opt/ruckuswireless/wsg/apps/lib/log4j-core-2.11.1.jar exists. Replace this file.
/opt/ruckuswireless/wsg/apps/lib/log4j-core-2.8.2.jar exists. Replace this file.
/opt/ruckuswireless/3rdparty/elasticsearch-5.4.2/lib/log4j-core-2.8.2.jar exists. Replace this file.
Done.
Please restart services to make the changes take effect.

Ruckus(patches)# exit
Ruckus# reload


NOTE : The ksp needs to be applied to all nodes in a cluster and requires a service restart for successful execution.

Please do a "reload" not a "service restart"

Filenames:

1. ER10935_fix_log4j_856364.ksp  <<<<< For 5.2 and later versions up till 6.0 release
2. ER10935_fix_log4j_before_5_2_856366.ksp  <<<< For code prior to 5.2 (5.0, 5.1 releases)

Article Number:
000012025

Updated:
January 06, 2022 06:19 AM (9 months ago)

Tags:
Security, Known Issues and Workarounds, SmartCell Gateway

Votes:
10

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.