Arbit Data Diode CVE-2021-44228

2021-12-15 13:30(CET), Information about Arbit Data Diode CVE-2021-44228 vulnerability.

Updated 2021-12-15 16:50(CET), More details on mitigation.

Updated 2021-12-16 09:30(CET), Information on upgrades available for CentOS/Red Hat 7 and Red Hat 8 in Upgrades. Upgrades for Ubuntu 18 is pending.

Updated 2021-12-21 11:00(CET), Information on upgrades available for Ubuntu 18 in Upgrades.

Arbit Data Diode log4j vulnerability

Along with the rest of the IT industry, Arbit was notified of the exploitation of a previously unknow zero-day vulnerability in a common java-based component log4j (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). Since then Arbit has been reviewing its portfolio of software to see if this vulnerability could affect arbit software. The vulnerable version of log4j is indeed used in a newly released Arbit Data Diode software component (pitcher/catcher-configrestapi), and until an upgrade is available, affected customers are advised to take mitigating steps as described below:

`Determine if the vulnable component is installed`

Determine if the vulnerable component is installed on pitcher/catcher facing the internet:

Ubuntu 16

Ubuntu 16 based Arbit Data Diode is not affected

Ubuntu 18

Ubuntu 18 based Arbit Data Diode may be affected if catcher-configrestapi ≤ 0.2.0 or pitcher-configrestapi ≤ 0.2.0 is installed

>dpkg-query -l | grep configrestapi

CentOS 7/Red Hat 7

Centos 7/Red Hat 7 based Arbit Data Diode may be affected if catcher-configrestapi ≤ 0.1.8 or pitcher-configrestapi ≤ 0.2.3 is installed

>rpm -qa | grep configrestapi

Red Hat 8

Red Hat 8 based Arbit Data Diode may be affected if catcher-configrestapi ≤ 0.1.3 or pitcher-configrestapi ≤ 0.1.6 is installed

>rpm -qa | grep configrestapi

`Mitigate vulnerability`

>cd /usr/share/add-configrestapi/WEB-INF/lib

>sudo zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

CentOS/Red Hat 7

>sudo systemctl restart tomcat

Ubuntu 18/Red Hat 8

>sudo systemctl restart tomcat9

`Upgrades`

CentOS/Red Hat 7

An upgrade for CentOS/Red Hat 7 that fixes the vulnerability is now available. See Arbit Data Diode for CentOS 7 for instructions. Note: you'll need your licens number and password to access the updates and instructions.

Pitcher: pitcher-configrestapi-0.2.5.rpm

Catcher: catcher-configrestapi-0.2.0.rpm

Red Hat 8

An upgrade for CentOS/Red Hat 7 that fixes the vulnerability is now available. See Arbit Data Diode for RedHat 8 for instructions. Note: you'll need your licens number and password to access the updates and instructions.

Pitcher: pitcher-configrestapi-0.1.7.rpm

Catcher: catcher-configrestapi-0.1.4.rpm

Ubuntu 18

An upgrade for Ubuntu 18 that fixes the vulnerability is now available. See Arbit Data Diode for Ubuntu for instructions. Note: you'll need your licens number and password to access the updates and instructions.

Pitcher: pitcher-configrestapi-0.2.1.deb

Catcher: catcher-configrestapi-0.2.1.deb