Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-12 Out of Cycle Security Advisory: Multiple Products: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. (CVE-2021-44228, CVE-2021-4104, CVE-2021-45046 and CVE-2021-42550)

2

0

Article ID: JSA11259 SECURITY_ADVISORIES Last Updated: 14 Jan 2022Version: 10.0
Product Affected:
These issues affect multiple products.
Problem:

For CVE-2021-44228:

A vulnerability in Apache Log4j2 <=2.14.1 JNDI features used in multiple Juniper Networks products as used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

For CVE-2021-4104:

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

For CVE-2021-45046:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

For CVE-2021-42550This vulnerability is currently undergoing analysis and not all information is available. Please refer to https://jira.qos.ch/browse/LOGBACK-1591 as several security researchers have argued against CVE-2021-42550 being necessary as an attacker who can edit configuration files may also carry out RCE attacks without this CVE.

In LOGBack version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. The vulnerability is considered to pose a lesser threat than log4shell because it requires access to logback's configuration file by the attacker, sign of an already compromised system. CVE-2021-42550 is intended to prevent an escalation of an existing flaw to a higher threat level. Logback should not be a vector in making an RCE possible even as a stepping stone for the attacker exploiting a prior existing vulnerability (in a different part of the system). 
 

Based on our current analysis the following products are not affected by CVE-2021-44228 CVE-2021-4104, CVE-2021-45046 or CVE-2021-42550 issues:

  • All AMD-Based CPUs used in any Juniper Networks products.
  • Juniper Networks Junos OS
  • Juniper Networks Junos OS Evolved
    • Juniper Networks products using Wind River Linux in Junos OS and Junos OS Evolved
  • Juniper Networks ScreenOS
  • Juniper Networks Advanced Threat Prevention (JATP)
  • Juniper Networks AppFormix
  • Juniper Networks Apstra System
  • Juniper Networks BTI hardware platforms (Note: Software is affected see below.)
  • Juniper Networks Connectivity Services Director
  • Juniper Networks Contrail products: Contrail Analytics, Contrail Cloud, Contrail Networking or Contrail Service Orchestration
  • Juniper Networks Cross Provisioning Platform
  • Juniper Networks CTPOS and CTPView
  • Juniper Networks ICEAAA Manager
  • Juniper Networks Healthbot
  • Juniper Networks JATP Cloud
  • Juniper Networks JSA Series (See potentially affected and affected sections for other applications potentially residing within the product)
  • Juniper Networks Juniper Sky Enterprise
  • Juniper Networks Juniper Identity Management Services (JIMS)
  • Juniper Networks Junos Fusion/Satellite NOS (SNOS)
  • Juniper Networks Network Director
  • Juniper Networks Paragon Active Assurance
  • Juniper Networks Policy Enforcer
  • Juniper Networks SBR Carrier Edition
  • Juniper Networks SecIntel
  • Juniper Networks Security Director Insights
  • Juniper Networks Security Director
  • Juniper Networks Session Smart Router (Formerly 128T)
  • Juniper Networks Space SDK
  • Juniper Networks Standalone Log Collector 20.1 (as also used by Space Security Director)
  • Juniper Networks Juniper Support Insights
For Mist products and Services:
  • Juniper Networks Juniper Mist Edge
  • Juniper Networks Mist Access Points
    • Any version on AP12, AP21, AP32, AP33, AP34, AP41, AP43, AP45, AP61, AP63, BT11
  • User Engagement Virtual BLE
  • Juniper Networks Mist AI
  • Juniper Networks Marvis Virtual Network Assistant (VNA)
  • Juniper Networks WAN Assurance
  • Juniper Networks Wi-Fi Assurance
  • Juniper Networks Wired Assurance
  • Juniper Networks Premium Analytics

Based on our current analysis the following products may be affected by CVE-2021-44228 CVE-2021-4104 CVE-2021-45046 or CVE-2021-42550 issues:

  • Juniper Networks Juniper Secure Analytics Risk Manager
  • Juniper Networks Network and Security Manager (NSM)
  • Juniper Networks WANDL IP/MPLSView

Based on our current analysis the following products are vulnerable to the issue described in CVE-2021-44228:

  • Juniper Networks BTI proNX Service Manager Software
  • Juniper Networks JSA Series User Behavior Analytics prior to version 4.1.14 see https://www.ibm.com/support/pages/node/6526640 for further details.
  • Juniper Networks Junos Space Network Management Platform when OpenNMS has been enabled.
  • Juniper Networks NorthStar Controller / NorthStar Planner
  • Juniper Networks Paragon Pathfinder
    • 21 version 21.1, 21.2 and later versions.
  • Juniper Networks Paragon Planner
    • 21 version 21.1, 21.2 and later versions.

We continue to evaluate products and this advisory will be updated as further information becomes available.

These issues were discovered during external security research.

These issues have been assigned CVE-2021-44228CVE-2021-4104 CVE-2021-45046 and CVE-2021-42550.

2021-December-20: Please note: The Junipe SIRT is aware of and investigating CVE-2021-42550.
2021-December-15: Please note:  The Juniper SIRT is aware of and investigating CVE-2021-4104 and CVE-2021-45046.
As information regarding the impact of Juniper products becomes available regarding these CVE's this advisory will be updated.


 
Solution:
Solutions will be posted to this advisory as they become available.

NorthStar: Follow the workaround section.

Junos Space: 21.3R1 has been posted which addresses all CVEs. In addition, Junos Space hot patches for versions 21.1 and 21.2 are available with Log4j vulnerability fixed.
Workaround:
These instructions apply to: CVE-2021-44228
Please note that OpenNMS is enabled by default.

For Junos Space customers with OpenNMS enabled the following workaround can be used while OpenNMS is enabled.   
 
Note: 
a)   The workaround as below is applicable for Junos Space 21.1 and 21.2 only. 
       b)   For Junos Space <= 20.3, OpenNMS needs to be stopped.
c.       Please contact JTAC for technical support or assistance in processing this workaround.

1.       Change directory to:
 
cd /opt/opennms/lib
Backup and remove the following files
log4j-api-2.13.1.jar
log4j-core-2.13.1.jar
log4j-slf4j-impl-2.13.1.jar
 
2.       Download respective 2.17 version of these jar files
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar.sha1
 
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar.sha1
 
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0/log4j-slf4j-impl-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0/log4j-slf4j-impl-2.17.0.jar.sha1
 
3.       Upload above jar files to /opt/opennms/lib
 
4.       Change permission jar files to
                chmod 750 /opt/opennms/lib/log4j*
chown opennms:opennms /opt/opennms/lib/log4j*
 
5.       Restart the OpenNMS
Administration --> Applications --> Network Management Platform --> Right click --> Manage services --> Network Monitoring (note: OpenNMS) --> Stop icon
Administration --> Applications --> Network Management Platform --> Right click --> Manage services --> Network Monitoring (note: OpenNMS) --> Start icon
 
For Junos Space customers who don’t use OpenNMS:
    To check OpenNMS Status:
Administration  --> Fabric Node  --> Right Click on the Node  --> View Fabric Details à Process Details show to OpenNMS running or not.
    To Stop OpenNMS:
Administration --> Applications --> Network Management Platform --> Right click --> Manage services --> Network Monitoring (note: OpenNMS) --> Stop iconWorkarounds will be posted to this advisory as they become available.

An IDP signature file has been released for protection in Sigpack 3448 or higher.  Please obtain the latest available Sigpacks.
Workarounds for CVE-2021-44228CVE-2021-4104 CVE-2021-45046 and CVE-2021-42550:
NorthStar
Note that these instructions were previously released to update packaged versions 2.9.1 to 2.15.0, but that is updated below to 2.17.0 and apply to the following CVEs: 
CVE-2021-44228CVE-2021-4104 CVE-2021-45046 and CVE-2021-42550.
For NorthStar customers to apply workarounds execute the following on nodes with analytics installation. Note: Please contact JTAC for technical support or assistance in processing this workaround.

First, implement the workaround for ElasticSearch:
Change directory to:
cd /opt/northstar/thirdparty/elasticsearch/lib
Backup and remove the following files
log4j-api-2.9.1.jar
log4j-core-2.9.1.jar
log4j-1.2-api-2.9.1.jar


Download respective 2.17 version of these jar files
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar.sha1

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar.sha1
 
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-1.2-api/2.17.0/log4j-1.2-api-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-1.2-api/2.17.0/log4j-1.2-api-2.17.0.jar.sha1

Upload above jar files to /opt/northstar/thirdparty/elasticsearch/lib
Restart ElasticSearch with the following command:
supervisorctl restart analytics:elasticsearch
 
Secondly, implement this workaround for Logstash:
Change directory to:
cd /opt/northstar/thirdparty/logstash/logstash-core/lib/jars
Backup and remove the following files
log4j-api-2.9.1.jar
log4j-core-2.9.1.jar
log4j-slf4j-impl-2.9.1.jar

Download respective 2.17 version of these jar files
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar.sha1
 
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar.sha1
 
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0/log4j-slf4j-impl-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0/log4j-slf4j-impl-2.17.0.jar.sha1

Upload above jar files to /opt/northstar/thirdparty/logstash/logstash-core/lib/jars
Restart logstash with the following command:
supervisorctl restart analytics:logstash

Junos Space:
These instructions apply to: CVE-2021-44228
Please note that OpenNMS is enabled by default.

For Junos Space customers with OpenNMS enabled the following workaround can be used while OpenNMS is enabled.   
 
Note: 
a)   The workaround as below is applicable for Junos Space 21.1 and 21.2 only. 
       b)   For Junos Space <= 20.3, OpenNMS needs to be stopped.
c.       Please contact JTAC for technical support or assistance in processing this workaround.
1. Change directory to:
cd /opt/opennms/lib
Backup and remove the following files
log4j-api-2.13.1.jar
log4j-core-2.13.1.jar
log4j-slf4j-impl-2.13.1.jar

 
2.       Download respective 2.17 version of these jar files
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar.sha1
 
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar.sha1
 
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0/log4j-slf4j-impl-2.17.0.jar
checksum
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0/log4j-slf4j-impl-2.17.0.jar.sha1 
 
3.       Upload above jar files to /opt/opennms/lib
 
4.       Change permission jar files to
                chmod 750 /opt/opennms/lib/log4j*
chown opennms:opennms /opt/opennms/lib/log4j*
 
5.       Restart the OpenNMS
Administration --> Applications --> Network Management Platform --> Right click --> Manage services --> Network Monitoring (note: OpenNMS) --> Stop icon
Administration --> Applications --> Network Management Platform --> Right click --> Manage services --> Network Monitoring (note: OpenNMS) --> Start icon
 
For Junos Space customers who don’t use OpenNMS:
    To check OpenNMS Status:
Administration  --> Fabric Node  --> Right Click on the Node  --> View Fabric Details & Process Details
    To Stop OpenNMS:
Administration --> Applications --> Network Management Platform --> Right click --> Manage services --> Network Monitoring (note: OpenNMS) --> Stop icon
Modification History:
2021-12-13: Initial Publication.
2021-12-13: 3:30PM Pacific: Additional product details - affected, not affected, potentially affected and workarounds provided where available. Minor title update.
2021-12-13: 3:35PM Pacific: Paragon Active Assurance not affected; moved from vulnerable section to not affected section. 
2021-12-14 Update 1: SBR Carrier added to the Not Affected section. Reformatted text/minor textual changes. SigPack ID updated from 3444 to 3446. 
2021-12-14 Update 2: New workaround available for NorthStar. Added Mist BT11 and Premium Analytics to not affected. Reformatting text/minor textual changes. 
2021-12-15 Update 1: Adding multiple products to the advisory with new details, adding new CVE IDs for variant and ongoing updates to the issue. Reformatting text/minor textual changes. It should be noted that many products were evaluated for JNDI and the JndiLookupClass and these were ruled out in many cases prior to CVE-2021-4104 and CVE-2021-45046 being issued.  Products may have older releases of log4j yet are unaffected by the lack of JNDI source code or lack of the JndiLookupClass being resident or the shipping configuration of the product which mitigates the issue.
2021-12-16 Update 1: Minor typo in potentially affected; merged JSA/Risk Manager lines together for clarity.
2021-12-16 Update 2: Added Healthbot, made a few minor modifications/textual changes. Please note that some products listed in this advisory are end-of-engineering support and are provided only as a courtesy to notify that the product is or isn't affected by these recent issues. It is not the standard practice of Juniper Networks to apply security fixes to releases which are beyond End of Engineering (EOE) or End of Life (EOL).
2021-12-20 Update 1: Paragon Insights deleted, unnecessary to have listed/confusing. Regardless, it is not affected (standalone or integrated). Added new CVE ID Details for latest concern.  NorthStar workarounds updated to 2.17.0; the workaround is also the solution. Updated Junos Space workaround with a upgrade step to resolving CVE-2021-44228 while OpenNMS is enabled. Moved Cross Provisioning Platform to not affected from potentially affected. 
2022-01-14 Update 1: Updated Junos Space Solution section and Workaround Section.

CVSS Score:
10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search