Impact of CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, & CVE-2021-44832 Apache Log4j Vulnerabilities on Data Insight

Impact of CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, & CVE-2021-44832 Apache Log4j Vulnerabilities on Data Insight

Article: 100052067
Last Published: 2022-01-04
Ratings: 13 2
Product(s): Data Insight

About CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, & CVE-2021-44832 Apache Log4j Vulnerabilities

Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228), a vulnerability to Thread Context Lookup Pattern in the previous fix (CVE-2021-45046), and a denial of service vulnerability (CVE-2021-45105) on affecting Log4j versions 2.0-beta9 to 2.16.0 . A remote attacker could exploit these vulnerabilities to take control of an affected system.

More information is available from the Apache Announcement and recommends upgrading to the latest Log4j 2.17.0 or applying recommended mitigations immediately.

 

Issue

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
Severity: Critical
Base CVSS Score: 9.0 
CVSS: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
Severity: High
Base CVSS Score: 7.5 
CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2021-44832: Apache Log4j2 JDBC Appender with a JNDI LDAP data source vulnerable to a remote code execution
Severity: Medium
Base CVSS Score: 6.6
CVSS: AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

NOTE: Data Insight is NOT affected by CVE-2021-44832

JDBC Appender is not utilized or included in the code

Affected Data Insight Versions for CVE-2021-44228, CVE-2021-45046, & CVE-2021-45105

 

Affected Data Insight Versions
Product/Component Version Mitigation Steps
Veritas Data Insight Management Server All Supported Versions

Perform the mitigation steps below.

Remove the JndiLookup class from the classpath:
and set the parameter for vmoptions

Veritas Data Insight Collector and Indexer (Windows Platform) All Supported Versions

Perform the mitigation steps below.

Remove the JndiLookup class from the classpath:
and set the parameter for vmoptions

Veritas Data Insight Indexer (Linux Platform) All Supported Versions

Perform the mitigation steps below.

Remove the JndiLookup class from the classpath

Veritas Data Insight Self-Service Portal All Supported Versions

Perform the mitigation steps below.

Remove the JndiLookup class from the classpath:
and set the parameter for vmoptions

Veritas Data Insight Classification Server All Supported Versions

Perform the mitigation steps below.

Remove the JndiLookup class from the classpath:
and set the parameter for vmoptions

Veritas Data Insight Windows File Server Agent All Supported Versions

Perform the mitigation steps below.

Remove the JndiLookup class from the classpath

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Hot Fix for Data Insight 6.2:

SecurityFix_ DataInsight_6.2_ ApacheLog4j (veritas.com)

Hot Fix for Data Insight 6.1.6 (6.1RP6):

SecurityFix_ DataInsight_6.1RP6_ ApacheLog4j (veritas.com)

Hot Fix for Data Insight 6.1.5 (6.1RP5):

SecurityFix_ DataInsight_6.1RP5_ ApacheLog4j (veritas.com)

 

NOTE: If you are running a version of Data Insight prior to 6.1.5 Veritas strongly recommends upgrading to one of the three latest releases and applying the appropriate patch to resolve the vulnerabilities. Customers that are unable to upgrade to a patched version of Data Insight can follow the mitigation steps below to resolve the vulnerabilities for their version.

 

*** This KB article covers mitigation steps for products/components identified in the above table ***

Please revisit this document for any changes as we continue our investigation

 

When making changes recommended below, please see the following notes.

 

If there are service startup issues after making the changes, please share a copy of these files when engaging Technical Support.

<INSTALLDIR>\Program Files\DataInsight\log\webserver0.0.log

<INSTALLDIR>\Program Files\DataInsight\log\sponline_connector_service.log

<INSTALLDIR>\Program Files\DataInsight\log\sponline_service0.0.log

<INSTALLDIR>\Program Files\DataInsight\log\onedrive_service0.0.log

<INSTALLDIR>\Program Files\DataInsight\log\onedrive_connector_service.log

 

Mitigation Steps for Veritas Data Insight

 

Windows Platform Nodes: Management Server, Indexer, Collector, Classification, Self-Service Portal, and Windows File Server Agent

NOTE: Log4j version 2.6.2 is used by Data Insight versions 6.0 through 6.2

1.     Stop all Data Insight services

2.     Backup the following files (if present)

a.     <INSTALLDIR>\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\log4j-core*.jar

b.     <INSTALLDIR>\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\log4j-core*.jar

c.     <INSTALLDIR>\Program Files\DataInsight\connectors\onedrive\dcConnectorOneDrive*.jar

d.     <INSTALLDIR>\Program Files\DataInsight\connectors\sponline\dcConnectorSharePointOnline*.jar

e.     <INSTALLDIR>\Program Files\DataInsight\bin\DataInsightOneDriveService.vmoptions

f.      <INSTALLDIR>\Program Files\DataInsight\bin\DataInsightSPOnlineService.vmoptions

g.     <INSTALLDIR>\Program Files\DataInsight\bin\DataInsightCmisService.vmoptions

3.     Remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the <INSTALLDIR>\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\log4j-core-<VERSION>.jar archive using a zip/file compression tool (Example using 7-Zip)

a.     Open a command prompt with elevated permissions (Run as administrator)

b.     Navigate to <INSTALLDIR>\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\

c.     Run the following command to delete the class file from the archive

7z.exe d log4j-core-<VERSION>.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Example:

7z.exe d log4j-core-2.6.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

4.     Remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the <INSTALLDIR>\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\log4j-core-<VERSION>.jar archive using a zip/file compression tool (Example using 7-Zip)

a.     Open a command prompt with elevated permissions (Run as administrator)

b.     Navigate to <INSTALLDIR>\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\

c.     Run the following command to delete the class file from the archive

7z.exe d log4j-core-<VERSION>.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Example:

7z.exe d log4j-core-2.6.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

5.     Remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the <INSTALLDIR>\Program Files\DataInsight\connectors\onedrive\dcConnectorOneDrive.jar archive (present on nodes running Data Insight version 6.1.6 and above) using a zip/file compression tool (Example using 7-Zip)

a.     Open a command prompt with elevated permissions (Run as administrator)

b.     Navigate to <INSTALLDIR>\Program Files\DataInsight\connectors\onedrive\

c.     Run the following command to delete the class file from the archive

7z.exe d dcConnectorOneDrive.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Example:

7z.exe d dcConnectorOneDrive.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

6.     Remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the <INSTALLDIR>\Program Files\DataInsight\connectors\sponline\dcConnectorSharePointOnline.jar archive (present on nodes running Data Insight version 6.1.6 and above) using a zip/file compression tool (Example using 7-Zip)

a.     Open a command prompt with elevated permissions (Run as administrator)

b.     Navigate to <INSTALLDIR>\Program Files\DataInsight\connectors\sponline\

c.     Run the following command to delete the class file from the archive

7z.exe d dcConnectorSharePointOnline.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Example:

7z.exe d dcConnectorSharePointOnline.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

7.     Remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the <INSTALLDIR>\Program Files\DataInsight\connectors\cmis\dcConnectorCMIS.jar archive (present on nodes running Data Insight version 6.1.5 and above) using a zip/file compression tool (Example using 7-Zip)

a.     Open a command prompt with elevated permissions (Run as administrator)

b.     Navigate to <INSTALLDIR>\Program Files\DataInsight\connectors\cmis\

c.     Run the following command to delete the class file from the archive

7z.exe d dcConnectorCMIS.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Example:

7z.exe d dcConnectorCMIS.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

8.     Steps 3 through 7 can be performed manually by opening the *.jar archive using the zip tool of your choice and removing the org/apache/logging/log4j/core/lookup/JndiLookup.class file

9.     Edit the DataInsightOneDriveService.vmoptions file

a.     Open the <INSTALLDIR>\Program Files\DataInsight\bin\DataInsightOneDriveService.vmoptions file with a text editor

b.     Add the following line to the end of the file and save:

-Dlog4j2.formatMsgNoLookups=true

10.  Edit the DataInsightSPOnlineService.vmoptions file

a.     Open the <INSTALLDIR>\Program Files\DataInsight\bin\DataInsightSPOnlineService.vmoptions file with a text editor

b.     Add the following line to the end of the file and save:

-Dlog4j2.formatMsgNoLookups=true

11.  Edit the DataInsightCmisService.vmoptions file

a.     Open the <INSTALLDIR>\Program Files\DataInsight\bin\DataInsightCmisService.vmoptions file with a text editor

b.     Add the following line to the end of the file and save:

-Dlog4j2.formatMsgNoLookups=true

12.  Start all Data Insight Services

 

Linux Platform Nodes: Indexer

1.     Stop all Data Insight services

2.     Backup the following files (if present)

a. <INSTALLDIR>/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/log4j-core*.jar

b. <INSTALLDIR>/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/log4j-core*.jar

3.     Remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the <INSTALLDIR>/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/log4j-core-<VERSION>.jar archive using a zip/file compression tool (Example using Zip)

a.     Login to a shell session as the Data Insight user

b.     Navigate to <INSTALLDIR>/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/

c.     Run the following command to delete the class file from the archive

zip -d log4j-core-<VERSION>.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Example:

zip -d log4j-core-2.6.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

4.     Remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the <INSTALLDIR>/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/log4j-core-<VERSION>.jar archive using a zip/file compression tool (Example using Zip)

a.     Login to a shell session as the Data Insight user

b.     Navigate to <INSTALLDIR>/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/

c.     Run the following command to delete the class file from the archive

zip -d log4j-core-<VERSION>.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Example:

zip -d log4j-core-2.6.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

5. Start all Data Insight services.

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Was this content helpful?