CVE-2021-44228 and CVE-2021-45046 Mitigation Steps for Customers Unable to Upgrade

Patch releases to mitigate CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 are available (See https://www.goanywhere.com/support/cve-2021-44228-and-cve-2021-45046-goanywhere-mitigation-steps). The GoAnywhere security team strongly advises customers to upgrade to the patches provided.

For those customers who are unable to upgrade, Fortra is not able to guarantee full mitigation for CVE-2021-45105, as the removal of the JNDI lookup class is not a mitigation for CVE-2021-45105. The GoAnywhere Security team strongly advises making all the configuration changes detailed on this page in the product specific sections below. Customers should also follow these additional recommendations:

• Set the following system property within your GoAnywhere products:

  log4j2.formatMsgNoLookups=true

  • Apache noted in CVE-2021-45046 that there are attack vectors not prevented by the system property. However, the system property helps reduce the attack surface.
  • NOTE: The system property is not available for GoAnywhere MFT versions less than 5.7.0. Customers on these older versions must upgrade to 5.7.0 or greater to make user of this system property.
• Verify that the

  log4j2.xml

  configuration files located in the /config folder of their GoAnywhere products do not contain the vulnerable lookup pattern

  ${ctx:

  Note: The vulnerable lookup pattern is not included in the default logging configurations for GoAnywhere products.
  • Customers who previously manually updated their Log4j configuration files are advised to:
    • Replace occurrences of

      ${ctx:

      with

      %X

      For example,

      ${ctx:example}

      should be replaced with

      %X{example}

    • Restart the affected GoAnywhere product after making changes.

The steps detailed on this page are merely configuration changes to help reduce the risk of exploitation and should not be considered a complete mitigation against CVE-2021-45105. The GoAnywhere patch releases provide the only full mitigation against CVE-2021-45105.

Patch releases to mitigate CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 are available for GoAnywhere MFT and GoAnywhere Gateway (See https://www.goanywhere.com/cve-2021-44228-and-cve-2021-45046-goanywhere-mitigation-steps). The GoAnywhere security team strongly advises customers to upgrade to the patches provided.

For those customers unable to upgrade, GoAnywhere products can be mitigated by performing the following steps:

1. Request a modified log4j-core jar from Support.

2.

• The org/apache/logging/log4j/core/lookup/JndiLookup.class has been removed according to the instructions provided by Apache Log4j to mitigate CVE-2021-44228 and CVE-2021-45046.
• The following product versions require specific modified log4j-core jars. Be sure to verify you are applying the appropriate log4j-core version:

3. Replace your existing log4j-core jar with the modified jar.

• Find the existing log4j-core jar within the lib folder in your product’s installation directory.
• Back up the existing jar but be sure to save the backup outside of the lib folder.
• It is important to delete the existing jar and add the new jar using the exact same name. Failure to do so may cause vulnerable code to remain in your instance or to be reintroduced upon upgrade.

4. Restart your instance to make the new jar take effect.

Patch releases to mitigate CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 are available (See https://www.goanywhere.com/cve-2021-44228-and-cve-2021-45046-goanywhere-mitigation-steps). The GoAnywhere security team strongly advises customers to upgrade to the patches provided.

For those customers unable to upgrade, GoAnywhere products can be mitigated by performing the following steps:

1. Request a modified log4j-core jar from Support.

2.

• The org/apache/logging/log4j/core/lookup/JndiLookup.class has been removed according to the instructions provided by Apache Log4j to mitigate CVE-2021-44228 and CVE-2021-45046.
• The following product versions require specific modified log4j-core jars. Be sure to verify you are applying the appropriate log4j-core version:

4. Replace your existing log4j-core jar with the modified jar.

• Find the existing log4j-core within the lib folder in your product’s installation directory.
• Back up the existing jar but be sure to save the backup outside of the lib folder.
• It is important to delete the existing jar and add the new jar using the exact same name. Failure to do so may cause vulnerable code to remain in your instance or to be reintroduced upon upgrade.

4. Restart your instance to make the new jar take effect.

Patch releases to mitigate CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 are available (See https://www.goanywhere.com/cve-2021-44228-and-cve-2021-45046-goanywhere-mitigation-steps). The GoAnywhere security team strongly advises customers to upgrade to the patches provided.

1. Request a modified log4j-core jar from Support.

2.

• The org/apache/logging/log4j/core/lookup/JndiLookup.class has been removed according to the instructions provided by Apache Log4j to mitigate CVE-2021-44228 and CVE-2021-45046.
• The following product versions require specific modified log4j-core jars. Be sure to verify you are applying the appropriate log4j-core version:

3. Replace your existing log4j-core jar with the modified jar.

• Find the existing log4j-core within the bundles folder in your product’s installation directory.
• Back up the existing jar but be sure to save the backup outside of the bundles folder.
• It is important to delete the existing jar and add the new jar using the exact same name. Failure to do so may cause vulnerable code to remain in your instance or to be reintroduced upon upgrade.

4. Restart your instance to make the new jar take effect.

• Make sure to restart your Agent locally. Restarting the Agent from the GoAnywhere MFT Admin Console may not trigger a reload of the log4j-core jar.