Log4j - GoAnywhere Mitigation Steps

December 30, 2021:

The GoAnywhere MFT, Agent and Gateway products do not use the JDBC Appender, and administrators are not provided the ability to configure one through these applications. As long as the configuration file is protected (log4j2.xml) at the system level and no JDBC appenders are configured within the log4j2.xml file, these GoAnywhere products are safe from this vulnerability as described in CVE-2021-44832.

Customers who previously manually updated their Log4j configuration files to contain a JDBC appender are advised to:

  1. Confirm if your team is actively using the configured JDBC appender.
    1. If your team is not using the JDBC appender, please remove the <DBC> tags and all the data contained within them.
    2. If you are using this appender, ensure that java is the only protocol being used within the appender's jndiName configuration.
      1. For example, a jndiName configuration that uses the java protocol will be specified as follows
        <datasource jndiname="java:/comp/env/jdbc/LoggingDataSource" />
  2. Restart the affected GoAnywhere product after making changes.

December 20, 2021:

Regarding CVE-2021-45105, Apache Log4j2 version 2.16 (included in the patch versions below) prevents evaluation of lookup patterns introduced outside of configuration; thus, customers only need to verify that the log4j2.xml configuration files located in the /config folder of their GoAnywhere products do not contain the vulnerable lookup pattern {ctx:. The vulnerable lookup pattern is not included in the default logging configurations for GoAnywhere products.

Customers who previously manually updated their Log4j configuration files are advised to:

  1. Replace occurrences of ${ctx: with %X.
    1. For example, ${ctx:example} should be replaced with %X{example}.
  2. Restart the affected GoAnywhere product after making changes.

The above mitigation requires that customers upgraded to the patches announced December 17.

 

December 17, 2021

In response to CVE-2021-44228 and CVE-2021-45046, the GoAnywhere team has released patches to protect your GoAnywhere products. Fortra highly recommends applying these patches, even if your team previously followed the mitigation steps released on December 11, 2021 for CVE-2021-44228. These patches need to be applied to the GoAnywhere products listed below.

  • Upgrade GoAnywhere MFT version 5.3.0 or later to patch version 6.8.6
    • Versions less than GoAnywhere MFT version 5.3.0 are not affected by CVE-2021-44228 and CVE-2021-45046
  • Upgrade GoAnywhere Gateway version 2.7.0 or later to patch version 2.8.4
    • Versions less than GoAnywhere Gateway version 2.7 0 are not affected by CVE-2021-44228 and CVE-2021-45046
  • GoAnywhere MFT Agents 1.4.2 or later to patch version 1.6.5
    • Versions less than GoAnywhere Agent version 1.4.2 are not affected by CVE-2021-44228 and CVE-2021-45046

These patches are the only mitigation for CVE-2021-44228. These patches are also the only mitigation for CVE-2021-45046 .

Mitigation Steps for GoAnywhere MFT:

In order to mitigate the risk to your GoAnywhere MFT instances, you will need to update these instances to the new patch version, 6.8.6.

  1. Navigate to https://my.goanywhere.com/webclient/Dashboard.xhtml
  2. Select Product Downloads
  3. Select GoAnywhere MFT under Choose Product
  4. Select the appropriate operating system
  5. Select Upgrades to download the GoAnywhere MFT 6.8.6 upgrade guide and upgrade file
  6. Follow the upgrade instructions in the GoAnywhere MFT 6.8.6 upgrade guide to upgrade every one of your GoAnywhere MFT instances.
    Note: If you have a clustered version of MFT, each instance in the cluster will need to be updated
  7. While your instances are down, you can remove the system property that was previously added as a mitigation for CVE-2021-44228
  8. Restart GoAnywhere

If you are unable to apply the GoAnywhere MFT 6.8.6 patch, please visit this page for additional information.

Mitigation Steps for GoAnywhere Gateway:

In order to mitigate the risk to your GoAnywhere Gateway instances, you will need to update these instances to the new patch version, 2.8.4.

  1. Navigate to https://my.goanywhere.com/webclient/Dashboard.xhtml
  2. Select Product Downloads
  3. Select GoAnywhere Gateway under Choose Product
  4. Select the appropriate operating system
  5. Select Upgrades to download the GoAnywhere Gateway 2.8.4 upgrade guide and upgrade file
  6. Follow the upgrade instructions in the GoAnywhere Gateway 2.8.4 upgrade guide to upgrade every one of your GoAnywhere Gateway instances.
    Note: If you have a clustered version of MFT and Gateway, each Gateway instance will need to be updated
  7. While your instances are down, you can remove the system property that was previously added as a mitigation for CVE-2021-44228.
  8. Restart GoAnywhere Gateway

If you are unable to apply the GoAnywhere Gateway 2.8.4 patch, please visit this page for additional information.

Mitigation Steps for GoAnywhere MFT Agents:

In order to mitigate the risk to your GoAnywhere Agents, you will need to update these instances to the new patch version, 1.6.5.

To upgrade Agents directly from the GoAnywhere Software Library:

  1. Within GoAnywhere MFT, navigate to Help --> Software Library
  2. Select Browse Online Catalog
  3. Download the GoAnywhere Agent 1.6.5 upgrader
  4. Click the wheel cog next to the GoAnywhere Agent 1.6.5 upgrader and select Upgrade Agents
  5. Select all Agents you want to upgrade and click the Upgrade button. Note: Fortra highly recommends upgrading ALL Agents.
  6. After your Agents have been successfully upgraded, you can remove the system property that was previously added as a mitigation for CVE-2021-44228.

To get the Agent upgrader through my.goanywhere.com:

  1. Navigate to https://my.goanywhere.com/webclient/Dashboard.xhtml
  2. Select Product Downloads
  3. Select GoAnywhere MFT under Choose Product
  4. Select the appropriate operating system
  5. Select Upgrades to download the GoAnywhere Agent 1.6.5 upgrade file
  6. Within GoAnywhere MFT, navigate to Help --> Software Library
  7. Import the .zip upgrader file into the Software Library
  8. Click the wheel cog next to the GoAnywhere Agent 1.6.5 upgrader and select Upgrade Agents
  9. Select all Agents you want to upgrade and click the Upgrade button. Note: Fortra highly recommends upgrade ALL Agents.
  10. After your Agents have been successfully upgraded, you can remove the system property that was previously added as a mitigation for CVE-2021-44228.

If you are unable to apply the GoAnywhere Agent 1.6.5 patch, please visit this page for additional information.

 

December 11, 2021 - CVE-2021-44228

The GoAnywhere Development Team has issued a mitigation for CVE-2021-44228, which was published by NIST on December 10, 2021. The mitigation steps for the following products are enumerated below. Fortra highly recommends applying this mitigation, regardless of the version of Java running your GoAnywhere products. If the version of Java running any of the products below is less than Java 8u121, Fortra also recommends updating the applicable JRE.

Mitigation Steps for GoAnywhere Open PGP Studio:

As GoAnywhere Open PGP Studio is a standalone application, it is not susceptible to remote attacks. Therefore, our current recommendation is to follow the mitigation steps below. A Log4j2 jar update will be evaluated in the next release.

  1. Within the installation directory, find a file named OpenPGPStudio.vmoptions (or create if it does not already exist)
  2. Within this file, input the following string: 
    -Dlog4j2.formatMsgNoLookups=true
  3. Restart the GoAnywhere Open PGP Studio application

Unaffected Products:

Surveyor/400:

Surveyor/400 does not use a vulnerable version of Apache Log4j2. Thus, no further mitigation steps need be taken at this time.