Download a scanner (such as logpresso) from https://github.com/logpresso/CVE-2021-44228-Scanner.
Warning
|
Use this utility only to scan for vulnerabilities. DO NOT use it to fix anything in the system.
|
Caution
|
After installing the SMU, ensure that the DCNM Web UI is up and running. Also, ensure that all the processes are up and running,
by using the appmgr status all command. Ensure that the Applications > Compute shows all nodes in Joined state.
|
Before running the scan again, clear the old docker images that are no longer used, by using the following command:
If docker ps -a shows many containers in Exited state, then first run the following:
docker container prune
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Deleted Containers:
33d2a44706663870d062b7ee8b4aba18ea94ea6fdc285b6ba1d133334f226d73
9fba3140120f7fbc41993a97d0bc6bec254ffed638da1445e3a91fb04614cba6
67d4cd575d1febdec54fe161d716334908eb18d1a9a5d053a8f21ed1e3089d8c
4b8f2463cf899341fd5a028078a3d6b98790807db1ba6f6ece13a5a0a7783749
5b066b6eb334986d0cb0442249218d8582936439f8c8b3a3c81426ab81beaac3
14b965917498dcaaaa3e586d0d65e702d884c3cef7e425e60215a192cbff9945
359ab2ca568d10c42e406fec6a6f7499637936080b0ca109e307c51ca9431532
a18a752de7208d3802989f9209893140cac404cf33dcdf5cb362ebbddbde4e04
519e0e7654ecff8601f868c2a55fd1507a9ce52d137c33c79067fe3d7f834048
03e0c0ccaa35e2b4d07c6afae90c758f3db5ea639528afcc550a26e9c1ef1b43
Total reclaimed space: 155.4MB
If there are no containers in Exited state, then you can directly run the docker image prune to clean up the old images, as follows:
docker image prune –a
WARNING! This will remove all images without at least one container associated to them.
Are you sure you want to continue? [y/N] y
Deleted Images:
untagged: 127.0.0.1:5001/eplui:2.1
untagged: 127.0.0.1:5001/eplui@sha256:6b788e837561f5b56378d9872885abd078105b6e18f17f8b28ff7d58106288ed
deleted: sha256:9a9bb56bcf9e5807e25743522e7cc3b7946ca39b875418b5f85894b383443276
deleted: sha256:d09c3547766a3130d2e48d85d5c33304fd912abbcc0fd8f6d877ca4a5a7513d8
deleted: sha256:19acc971e6674459c817bd011ed8e5969bc4f47f3f733fe9ffb617227d5081e0
deleted: sha256:5f5a7996ee7ba7d79772caa9a24f95cceb8463bab030c7ed8f534b14eda099db
untagged: 127.0.0.1:5001/elasticservice:1.1
untagged: 127.0.0.1:5001/elasticservice@sha256:b7b7a082aa225301e92c55ab93647a7f4e5b49e28152733075995a6b237aa798
deleted: sha256:f9078f534739f1367d9a67187f14f4c32cc9fc904c8fd6579564c848b06f9185
deleted: sha256:f0e44e2f9afc9e180056d5bc6fceed743c2d2e4936a71ae8feb2c5e317ccea25
deleted: sha256:0cab6e9119a4779b58e3f8a2ab48ec892db599ca53a784a63ed2d03aa422a87e
deleted: sha256:60546313de31095f5363f479ea12b74ff02375f96cb5ab5ba23e85027f3be2c4
deleted: sha256:c9d22e3ec2ce60122c9da1d8e8bafb18dd9b61db39c3e8e8ad70be6ec907c48c
untagged: dcnmelastic:6.8.3_11.4.1
deleted: sha256:9e6493318e1189b662683cb288532e9b3177464684e9c17f06ebcd1a6bd3c317
deleted: sha256:f1b3c86a97ad0767ffcc89c31b73d34643a2bb838e317c82f00167bb8cfb270e
deleted: sha256:19c89e64341aff41ec5508ebb2b73107fee9581d71d78b0787279817dd14facc
deleted: sha256:907f6e93fa619661d70a65dc3fd12d0257e3d7afb0ced3961620fa419c5dd792
deleted: sha256:044e562105291191158e417ae9d33dd16022a881562114a970d1fadb116e8e5a
deleted: sha256:48c418ce6e32de81f4171ae073e79b04b3c227afe5f4013e6a0bd5932eee3853
deleted: sha256:7b6c7e6083bffb94f1b9acd4f83acec0f4cdc0685efda47fb6a9735fb0c3ec65
deleted: sha256:59908c99dea86854472cb0d7b64236e4a903f815d652845f56ec30204a12f550
deleted: sha256:11124a752156a4ec945d79172f11be3f025c96f1989886dff9b0b3608303dc3e
untagged: kibana:2.0
deleted: sha256:ea95ed7a67f68301e64e46653af6864cb6e18e496e725432505595936b560f26
deleted: sha256:b153b99c46885f4cd2b05173fb1b5481bda9f10c39130e5cbb38b7cd18884508
deleted: sha256:02033d4e0a299ba71df33ceaff68959d74d4a62fc0be69b689a01e6322f8e64c
deleted: sha256:9ed6d76808f43ff63909ba38cdda9430109b4848c4cb5b7e8db63e9a9f5e9f7e
deleted: sha256:c4ca19d8d6603e6020c28b9eefba5fe056bab61099a7c15a1b0793281601ea54
deleted: sha256:eac1498f3113436c89751c285e6d52c13edfa05810abce2dc042c9750f4b64b6
deleted: sha256:5f265142267b87373fafa5ccff18c1d7f2c7ce8b25ad870263dba4a9ff3a8540
deleted: sha256:f98eb78bb8712f2786ef0580037d916d4ff0d3bf398900f093c94301cad4d705
deleted: sha256:6262d3d4d32bb0a107cfac0c58c563426fdc657116c903e36334a452a4818d68
deleted: sha256:045f4e8b3ed31fb7d27aa34e59cfdd2e8aa5b24d9cde5b84de18635a5b7f3765
deleted: sha256:af643141c457d060c8c88f4b3901d8404bab5b93abdcba1c5050666de50765e2
untagged: watchtower:2.1
deleted: sha256:0a54bd9e96a8483fdb76042b7906909aa1f3fd4deb513a5a7194a8aaf86af7dc
deleted: sha256:f8f11cb198e25e36212a5650d5b8fbcc9f4a515afe91e6d4e678d71c60d6040d
deleted: sha256:224ec704095b7d5d185a405f0e468bc015d6cb9c50cd3ab4ca9de092763ddc5a
deleted: sha256:45268517a253b8f483eedfa7f9f2641361d3f40d5e6f235f179ee3f583ebfc38
untagged: compliance:4.0.0
deleted: sha256:d6750c132fb5e9059f86d0d6b1f54bebd0f00d0b84ab9688813526bd63c6ced8
deleted: sha256:4d10e42b5db7aafabef673b889c6916e79c9f1cf6a5411304b02e158dfac0cbc
deleted: sha256:7ffadb4dd9f304c2d5314f66461d351622fe72e6c2a043942e0cd7fcc8aa2b66
deleted: sha256:516e697bbb7ff9ec971280964b9383fa22cc72ced415362720903ad5281c0852
deleted: sha256:0ef534a6e063d02b7bc5f1ff0a0053478502a8bc76f88cd2dddb58b8225c80a4
deleted: sha256:4a7f56d08ea1e6fcda2d9fd2b37c85eee0e963c9d8c6275997a4028171a15c07
deleted: sha256:544c874de2ace981da4bd06ee33cd8a00d03059b598cc4a02fc4ab9b57610133
deleted: sha256:5f0a9421371e6f218eaf9788eccfc987d40cc7c66291536465f271cf0abdcd04
deleted: sha256:c1968f6e62beccbad147b8f8d0a239b4d308133ee0bc77cd4ee9cfc941f29e50
deleted: sha256:aa9e87a76c7b54bb7dba91db45a84a23542bf647751fe1211764f1395f97ec6f
Total reclaimed space: 794.1MB
After that, the log4j scanner tool can be run. A sample post patch run output is depicted below:
CLI snap of a sample result - CVE-2021-44228 Vulnerability Scanner 2.3.6 (2021-12-20)
[root@dcnm]# ./log4j2-scan /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.6 (2021-12-20)
Scanning directory: /, ./log4j2-scan, / (without devtmpfs, tmpfs, shm)
Running scan (10s): scanned 4653 directories, 41925 files, last visit: /usr/local/cisco/dcm/fm/download
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /usr/local/cisco/dcm/wildfly-14.0.1.Final/standalone/sandeployments/dcm.ear (lib/log4j-core-2.16.0.jar), log4j 2.16.0
Running scan (26s): scanned 6980 directories, 62226 files, last visit: /usr/local/cisco/dcm/wildfly-14.0.1.Final/standalone/sandeployments
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /usr/local/cisco/dcm/wildfly-14.0.1.Final/standalone/tmp/vfs/deployment/deploymentb8b48c896c390adc/log4j-core-2.16.0.jar-f0e6535d462979bf/log4j-core-2.16.0.jar, log4j 2.16.0
Running scan (36s): scanned 9856 directories, 90359 files, last visit: /usr/local/cisco/dcm/wildfly-14.0.1.Final/modules/system/layers/base/org/infinispan/main
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /root/packaged-files/pmn/pmn-telemetry.jar, log4j 2.16.0
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /root/patch-11.4.1-p2.backup/dcm.ear (lib/log4j-core-2.8.2.jar), log4j 2.8.2
Running scan (52s): scanned 24714 directories, 141807 files, last visit: /root/patch-11.4.1-p2.backup
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /tmp/.inline-upgrade.16121/fmserver-patch/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /tmp/.inline-upgrade.16121/fmserver-patch/dcm.ear (lib/log4j-core-2.16.0.jar), log4j 2.16.0
Running scan (62s): scanned 30813 directories, 183000 files, last visit: /usr/share/elasticsearch/modules/lang-groovy
Running scan (72s): scanned 34709 directories, 216946 files, last visit: /usr/local/cisco/dcm/smis/client/lib
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /usr/local/cisco/dcm/wildfly-14.0.1.Final/standalone/sandeployments/dcm.ear (lib/log4j-core-2.16.0.jar), log4j 2.16.0
Running scan (88s): scanned 36975 directories, 231284 files, last visit: /usr/local/cisco/dcm/wildfly-14.0.1.Final/standalone/sandeployments
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /usr/local/cisco/dcm/wildfly-14.0.1.Final/standalone/tmp/vfs/deployment/deploymentb8b48c896c390adc/log4j-core-2.16.0.jar-f0e6535d462979bf/log4j-core-2.16.0.jar, log4j 2.16.0
Running scan (98s): scanned 39835 directories, 259398 files, last visit: /usr/local/cisco/dcm/wildfly-14.0.1.Final/modules/system/layers/base/org/bouncycastle/main
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /root/packaged-files/pmn/pmn-telemetry.jar, log4j 2.16.0
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /root/patch-11.4.1-p2.backup/dcm.ear (lib/log4j-core-2.8.2.jar), log4j 2.8.2
Running scan (114s): scanned 54709 directories, 310865 files, last visit: /root/patch-11.4.1-p2.backup
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /tmp/.inline-upgrade.16121/fmserver-patch/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /tmp/.inline-upgrade.16121/fmserver-patch/dcm.ear (lib/log4j-core-2.16.0.jar), log4j 2.16.0
Scanned 59990 directories and 338115 files
Found 12 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 124.16 seconds
Note
|
Installing SMU on Cisco DCNM addresses CVE-2021-44228 and CVE-2021-45046. As CVE-2021-45105 is lower severity, and refers
to an issue with a configuration which is not used in Cisco DCNM with the default shipping configuration. Therefore, CVE-2021-45105
is not addressed in this SMU installation.
|
The backup contains original unaltered files which are still vulnerable. They are not used, but are retained as a reference.
If you choose to delete, no functionality will be impacted. There are few files which are inside of container filesystem layers.
These files record the changes to the container filesystems and are not a concern until they do not appear in the “merged”
container files. These files are not available to processes at run-time. There are no vulnerable files in the merged resultant
container filesystems.
This SMU installation is supported with Release 11.5(1), 11.5(2), and 11.5(3) for your deployment.
Refer to Upgrading DCNM Release 11.5(x) from Previous Versions for instructions to install SMU on other DCNM releases. You can upgrade to DCNM Releases through multiple hops from Release
11.0 or later. The log4j2 scanner flags few stale docker/overlay related file system issues. Ensure that you validate the
SMU installation. For more information, see Validating of SMU Installation.
Note
|
After DCNM HA failover, the log4j2 scan may show some vulnerabilities. This is due to the old docker image package bundle
in the Standby server, which is not available for use at run-time for any process. If the CVE reports are still seen, execute
the docker image prune -a command. This results in clearing the stale entries on the Standby node. After clearing stale entries, there will be no issues
during further DCNM HA failovers. If the scan report still shows some CVE errors, we recommend that you contact Cisco TAC.
|