Applying the CDF 2021.05 log4j Hotfix

Some deployments of, and upgrades to, CDF 2021.05/arcsight-platform-installer-22.1.x.x.zip require application of a hotfix to remediate the log4j vulnerability, which was discovered in 2021. The hotfix will upgrade IDM for CDF to use log4j 2.17.1, to prevent exploitation of the log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832). The hotfix should be applied after an upgrade.

The hotfix applies to the following types of installations and upgrades:

Any on-premises manual installation of 22.1.x or any on-premises manual upgrade to 22.1.1. (A manual installation or upgrade is one that does not use the ArcSight Installer.)

The CDF 2021.05 hotfix will be automatically applied during any on-premises installation or upgrade using the ArcSight Installer and this procedure can be skipped.

Any CDF fresh installation or upgrade on AWS.
Any CDF fresh installation or upgrade on Azure.

The log4j remediation hotfix does NOT apply to on-premises installations or upgrades performed automatically using the ArcSight Installer, as the hotfix is applied automatically by the installer. For such installations or upgrades these procedures can be skipped.

Hotfix File

The hotfix file is named arcsight-idm-hf-22.1.0-2.zip.

Get the file:
- For a manual on-premises deployment/upgrade, the hotfix is bundled in /<download_folder>/arcsight-platform-installer-22.1.x.x/installers/hotfix.
- For an AWS or Azure deployment upgrade, obtain the file from the on-premises installation file directory at /<download_folder>/arcsight-platform-installer-22.1.x.x/installers/hotfix.

Copy the file:
- For manual on-premises, copy the file to your master node.
- For AWS, copy the file to your bastion.
- For Azure, copy the file to your jump host.

Unzip the hotfix file. In the unzipped folder, run the following command with the '-e' argument (values: onprem, azure, aws) to apply the latest image.

# ./hotfix.sh -e <YOUR_ENV>

Verifying the Hotfix

Check the pod status by running the following command. It should be 'Running' as 2/2.

# kubectl get pods -A | grep idm

Check the image version by running the following command.

# kubectl get deployment/itom-idm -n core -o yaml | grep itom-idm:1.32.1-343

It should display as below:

image: <image-registry-url>/<org-name>/itom-idm:1.32.1-343

Rolling Back to the Previous Version

To roll back itom-idm to the previous version, run the following roll back commands :

# kubectl delete -f /tmp/cdf-itom-idm.yaml

# kubectl create -f /tmp/cdf-itom-idm.yaml