DCNM to address log4j Vulnerability

Today we are going to talk about the procedure of installing the patch for DCNM to address log4j2 CVE‐2021‐45046 and CVE‐2021‐44228 vulnerability. As Log4j you know that Java library was found to contain a Remote Code Execution vulnerability. 

The "message lookup substitution" function of Log4j enables malicious code to be executed on logged fields that contain maliciously crafted strings. Payloads can be deployed and executed this way, or commands can be executed with heightened privilege levels.

It is important to mitigate the issue as soon as possible for any Remote Code Execution. Lets start with the patch installation.

Fig 1.1- DCNM Login Screen

Step 1: First you need to find the SMU file which you can find it on the Cisco website as below, Login with your Cisco credentials and you will find the below link with the software options of ISO, bin, EXE files.

Cisco Software Central for DCNM 11.5 (1)

This SMU installation is supported with Release 11.5(1), 11.5(2), and 11.5(3) for your deployment. Locate DCNM 11.5(1) to address log4j2 CVE‐2021‐45046 and CVE‐2021‐44228 file and click Download icon. 

Save the dcnm-va-patch.11.5(1)-p1.iso.zip file to your directory that is easy to find when you start to apply the SMU.

Step 2: Unzip the dcnm-va-patch.11.5(1)-p1.iso.zip file and upload the file to the /root/ folder in both Active and Standby node of the DCNM setup.

Step 3: Log on to the Cisco DCNM appliance using SSH as a sysadmin user.

Run the below su command to enable root user.
dcnm1# su
Enter the root password: 
[root@dcnm1]#
dcnm2# su
Enter the root password: 
[root@dcnm2]#

Step 4: Run the following command to create a screen session.
[root@dcnm1]# screen
[root@dcnm2]# screen

This creates a session which allows you to execute the commands. The commands continue to run even when the window is not visible or if you get disconnected.

On the Active node, install the SMU and Create a folder named iso using the mkdir /mnt/iso command.

[root@dcnm1]# mkdir -p /mnt/iso

Now Mount the DCNM 11.5(1) SMU file on the Active node in the /mnt/iso folder.

[root@dcnm1]# mount -o loop dcnm-va-patch.11.5(1)-p1.iso /mnt/iso

Navigate to /scripts/ directory.

[root@dcnm1]# cd /mnt/iso/packaged-files/scripts/

Run the ./inline-upgrade.sh script.
[root@dcnm1]# ./inline-upgrade.sh

The progress is displayed on the screen. When the installation of SMU is complete, a successful message appears. Ensure that all the services are up and running on the Cisco DCNM Active node before proceeding to apply SMU on the Standby node

On the Standby node, install the SMU. Create a folder named iso using the mkdir /mnt/iso command.
[root@dcnm2]# mkdir -p /mnt/iso

Mount the DCNM 11.5(1) SMU file on the Standby node in the /mnt/iso folder.
[root@dcnm2]# mount -o loop dcnm-va-patch.11.5(1).iso /mnt/iso

Now Navigate to /scripts/ directory.
[root@dcnm2]# cd /mnt/iso/packaged-files/scripts/

Run the ./inline-upgrade.sh script.
[root@dcnm2]# ./inline-upgrade.sh --standby

The progress is displayed on the screen. When the installation of SMU is complete, a successful message appears. After the SMU is installed successfully, the DCNM process restarts. This results in a momentary loss of access to the DCNM Web UI. 

Ensure the DCNM application is functional, by using the appmgr status all command.
[root@dcnm2]# appmgr status all

Step 5: Terminate the screen session, by using the exit command.
[root@dcnm1]# exit
[root@dcnm2]# exit

Step 6: Unmount the dcnm-va-patch.11.5(x)-p1.iso file in both Active and Standby node of the DCNM setup. You must terminate the screen session before unmounting the SMU file.
[root@dcnm1]# umount /mnt/iso
[root@dcnm2]# umount /mnt/iso