A new security flaw, known as
‘Log4Shell’, poses a critical vulnerability to millions of applications and
devices across the globe. Log4Shell is a software vulnerability in Apache Log4j,
a popular Java library for logging error messages in applications. The
vulnerability, initially published as CVE-2021-44228, enables a remote attacker
to take control of a device on the internet if the device is running certain
versions of Log4j.
NComputing
strongly recommends customers to update to the latest PMC 2.9.4 version or
apply corresponding PMC security patch updates if you already have PMC 2.7.0 or
PMC 2.9.0 deployed.
PMC 2.9.4 and PMC security patches
for PMC 2.7.0 and PMC 2.9.0 address the following ‘Log4Shell’ vulnerabilities:
- CVE-2021-44832 (new security patch included in 2.9.4 release - based on latest Apache security update released on Dec. 28, 2021)
- CVE-2021-45105 (existing security patch carried over from previous 2.9.3 release)
- CVE-2021-45046 (existing security patch carried over from previous 2.9.3 release)
- CVE-2021-44228 (existing security patch carried over from previous 2.9.3 release)
If you are planning a new PMC
deployment, please use PMC version 2.9.4 or higher version which is available
in NComputing Management Portal (link here), or on Azure Marketplace (link
here).
If you already have PMC 2.7.0 or PMC
2.9.0 deployed, please follow this KB article to apply PMC security patches to
upgrade to PMC 2.7.1 and PMC 2.9.4, respectively:
Link to PMC 2.7.1 security patch for
PMC 2.7.0:
Link to PMC 2.9.4 security patch for PMC 2.9.0:
https://fpesek.s3.us-west-1.amazonaws.com/CVE-2021-44832-2.9.0-to-2.9.4%2Bssh-patch.zip
Below please find the procedures to apply the PMC security patch update to your existing PMC 2.7.0 or 2.9.0 deployoment
1. (Optional,
but recommended) Make a snapshot of the PMC VM.
2. Connect
to PMC with SSH (e.g. PuTTY) and log on as the ‘root’ user. If you did not
change the ‘root’ user password according to the suggestion from PMC Release
Notes, then the default ‘root’ user password is ‘pmcadmin’.
3.Change
the directory to ‘/tmp’ and create the ‘patch’ folder there. Then change the
directory to the newly created one:
4. Use SCP
(e.g. WinSCP) to copy the zipped patch file (‘CVE-2021-44832-2.7.0-to-2.7.1+ssh-patch.zip’
or ‘CVE-2021-44832-2.9.0-to-2.9.4+ssh-patch.zip’) to ‘/tmp/patch’ folder on PMC
server.
5. In SSH
session, execute the following commands to unzip the patch file for PMC 2.7.0
or PMC 2.9.0, respectively:
unzip -j CVE-2021-44832-2.7.0-to-2.7.1+ssh-patch.zip
unzip -j CVE-2021-44832-2.9.0-to-2.9.4+ssh-patch.zip
6. In SSH
session, execute the following command to set proper permissions on the patch
script:
chmod +x apply-pmc-patch.sh
7. Execute
the patch script:
./apply-pmc-patch.sh
8. Type ‘yes’
to confirm you want to proceed, when asked.