This article provides supplemental information to SB10377, regarding on-premises ePO and the log4j vulnerabilities.
The CVEs involved include:
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
- CVE-2021-44832.
Our formal response regarding product impact to the log4j vulnerabilities is available in
SB10377 - McAfee Enterprise products' status for "Log4Shell" (CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, and CVE-2021-45105).
You can find information about our malware coverage for log4shell in
KB95091 - McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution.
Hotfix release details
To respond as rapidly as possible, two hotfixes were released for ePO which incremented log4j. Both of these hotfixes have been pulled from our download site because they’re no longer needed with the release of ePO 5.10 Update 12.
ePO Version |
Release
Date
|
Log4j
Version |
CVEs Addressed |
Comments |
ePO 5.10 Update 12 |
January 11
2022 |
2.17.1 |
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105 |
|
ePO 5.10 Update 11 Hotfix 2 |
December 21
2021 |
2.17.0 |
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105 |
Not Available.
Superseded by ePO 5.10 Update 12. |
ePO 5.10 Update 11 Hotfix 1 |
December 16
2021 |
2.16.0 |
CVE-2021-44228 |
Not Available.
Superseded by ePO 5.10 Update 11 Hotfix 2. |
IMPORTANT:
- Both of the hotfixes could only be installed on ePO 5.10 update 11.
- Both hotfixes needed to be manually removed before using the Repair feature on ePO 5.10 Update 11.
- You can apply ePO 5.10 Update 12, regardless of whether you have applied either hotfix.
Frequently Asked Questions
If I have installed ePO 5.10 Update 11 Hotfix 1, must I upgrade to ePO 5.10 Update 12?
Yes. ePO 5.10 Update 11 Hotfix 1 addressed CVE-2021-44228, but it doesn’t address CVE-2021-45046 or CVE-2021-45105.
If I have installed ePO 5.10 Update 11 Hotfix 2, must I upgrade to ePO 5.10 Update 12?
It is not needed, but you can. No additional vulnerabilities are addressed between ePO 5.10 Update 11 Hotfix 2 and ePO 5.10 Update 12 because ePO isn’t vulnerable to CVE-2021-44832. See
KB95123 - ePolicy Orchestrator Sustaining Statement (SSC2112291) - Response to Log4j vulnerability CVE-2021-44832 for documentation on why ePO isn’t vulnerable to CVE-2021-44832.
If ePO isn’t vulnerable to CVE-2021-44832, why does ePO 5.10 Update 12 deliver log4j version 2.17.1?
A decision was made while responding to log4j that we would follow up our hotfix releases with a cumulative update release. The update only incremented log4j, and provided the latest build available at the time of the release.
If I have applied ePO 5.10 Update 11 Hotfix 1 or 2, do I need to remove them before applying Update 12?
No. You can remove the files you backed up when you apply the hotfixes. It’s optional, but isn’t needed.
Assuming you used the same file names we recommended in the hotfix release notes, you can safely remove the files below after you apply Update 12 or later:
- log4j-1.2-api-2.14.1.jar.bak
- log4j-1.2-api-2.14.1.jar.sig.bak
- log4j-api-2.14.1.jar.bak
- log4j-api-2.14.1.jar.sig.bak
- log4j-core-2.14.1.jar.bak
- log4j-core-2.14.1.jar.sig.bak
- log4j-1.2-api-2.16.0.jar.bak
- log4j-1.2-api-2.16.0.jar.sig.bak
- log4j-api-2.16.0.jar.bak
- log4j-api-2.16.0.jar.sig.bak
- log4j-core-2.16.0.jar.bak
- log4j-core-2.16.0.jar.sig.bak
NOTE: You might not have all of the files listed above. It depends on whether you applied hotfix 1, hotfix 2, or both.
Why is my vulnerability scanner flagging Agent Handlers as vulnerable to one or more log4j vulnerabilities?
The same cumulative update package you apply on the ePO server is used to update Agent Handlers. This package contains a copy of the log4j libraries to update the Application Server. When you apply an update to an Agent Handler, it copies the contents of the entire package to the <AH Install Dir>
\Updater folder. The presence of these JAR files is what the scanner is detecting. Because these files aren’t used by the handler, you can either ignore the scan results or remove the files.
Why is my vulnerability scanner flagging my ePO server as vulnerable to a log4j vulnerabilities after I’ve applied Update 12?
When you apply an update on the ePO server, it copies the entire update package to the
<ePO Install Directory>\Updates folder. This location might also contain some log4j JAR files. ePO only loads the log4j libraries from the
<ePO Install Dir>\Server\Lib folder. Any copies of the log4j JAR files in any other location that ePO doesn't use can be removed. But, not without potential downsides outside of the day-to-day operation of ePO.
This table outlines the file locations and potential problems with removing them. This table assumes you use the default ePO installation directory.
File Location |
JAR files
can be Deleted
or
Renamed? |
Potential Impact |
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\ |
No |
ePO fails to function.
Tomcat service might not start, or initialize properly. |
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Updates\ |
Yes |
Rollback and Repair feature of the Update tool can fail. |
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\ |
Yes |
Repair of ePO install might fail. |
NOTE: The paths above include any subfolders in the referenced path.
Do I need to remove the previously published mitigation instructions that were documented in SB10377 for ePO before or after applying ePO 5.10 Update 12?
No. The mitigation instructions for ePO can be left in place; they have no negative impact on ePO. If you want to remove them, the instructions for doing so are documented in
SB10377 - McAfee Enterprise products' status for "Log4Shell" (CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, and CVE-2021-45105).
Do CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, and CVE-2021-45105 apply to ePO 5.10 Update 10 or earlier? If not, why?
None of the CVEs apply to ePO 5.10 Update 10 or earlier. For CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105, is because those vulnerabilities only apply to
log4j 2.x, while ePO 5.10 Update 10 and earlier use
log4j 1.2. CVE-2021-4104 applies to
log4j 1.2, but you’re only vulnerable if the
JMSAppender is implemented. ePO doesn’t implement the
JMSAppender.