Impact of Apache Log4j Vulnerability on eDiscovery Platform

Summary 

Apache has published multiple vulnerabilities and their mitigation steps as part of their announcement. As part of this article, we are tracking the following vulnerabilities and their impact to the eDiscovery Platform.

CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.  

• Severity: Critical
• Base CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
• Affected Log4j Versions: All versions from 2.0-beta9 to 2.14.1 

CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations 

• Severity: Critical
• Base CVSS Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
• Affected Log4j Versions: All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation 

• Severity: High
• Base CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
• Affected Log4j Versions: All versions from 2.0-beta9 to 2.16.0 

CVE-2021-44832 : Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server.  

• Severity : Moderate 
• Base CVSS Score : 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) 
• Affected Log4j Versions : All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4 

CVE-2021-4104 : JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. 

• Severity : High 
• Base CVSS Score : 7.5 ( CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) 
• Affected Log4j Version : 1.x 

CVE-2021-42392 : The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution.  

• Severity : Critcial 
• Base CVSS Score : 9.8 (3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 

Impact

In eDiscovery Platform 9.5 and above, Log4J 2.x has been used as a third-party component for logging purposes.  

CVE-2021-44228 & CVE-2021-45046 

• Customers running eDiscovery Platform version 9.5.0, 9.5.1, 10.0.0 or 10.0.1 are strongly advised to implement the mitigation steps listed in this article below.
• As an additional measure of safety, customer are encouraged to upgrade their 9.5.0, 9.5.1, 10.0.0 and 10.0.1 environments to latest maintenance releases (9.5.2 or 10.0.2) and use the Solution mentioned below.
• Customers running eDiscovery Platform version 10.1, are advised to use the Solution mentioned below. 

CVE-2021-45105 

• No version of the eDiscovery Platform is impacted by the vulnerability raised in CVE-2021-45105.  While the eDiscovery Platform uses log4j-core-2.16.0, it does not use custom/non-default patterns mentioned in the CVE-2021-45105 attack description.  The log4j-core-2.16.0 disables access to JNDI by default.

CVE-2021-44832  

• No version of the eDiscovery Platform is impacted by the vulnerability raised in CVE-2021-44832  

CVE-2021-4104 

• eDiscovery Platform versions prior to 9.5 uses Log4j Version 1.x without JMSAppender and hence it is not vulnerable to this issue. If required, this file can be safely deleted from the Install location. 

CVE-2021-42392 

• No version of the eDiscovery Platform is impacted by this vulnerability as the product doesn’t use H2 Database. 

Notes:

• eDiscovery Platform versions prior to 9.5 uses Log4j Version 1.x without JMSAppender. As mentioned in the Apache advisory, Log4j 1.x configurations without JMSAppender are not impacted by the vulnerability tracked under CVE-2021-44228. The other two vulnerabilities are not applicable to Log4j Version 1.x.  Customers running an eDiscovery Platform version prior to 9.5.x do not  currently require any mitigation or solution for this vulnerability.
   
• Vulnerability scans may also identify the following log4j files.  These files may be safely deleted.
  • D:\CW\V10\3rdparty\classes\log4j.jar  - Present in v9.5.x, v10.0.1 and v10.1
  • D:\CW\V10\3rdparty\apps\hibernate-3.2.7\lib\log4j-1.2.11.jar - Only present in v10.0.x and v10.1

Affected Versions 

eDiscovery Platform versions: 10.1.0, 10.0.2, 10.0.1, 10.0, 9.5.2, 9.5.1, 9.5.0

Resolution for eDiscovery Platform versions 9.5.x, 10.0.x and 10.1

Customers running eDiscovery Platform version 9.5.x, 10.0.x and 10.1 can use the Solution Patches available on Veritas Download Center link to remediate CVE-2021-44228 and CVE-2021-45046 in the impacted areas of the product. Apply the solution patch to all servers with eDiscovery Platforms installed, including Confirmation Servers and Utility Nodes.

NOTE: The 9.5.x solution patch can be applied to all versions of eDiscovery 9.5.x.  The 10.0.x solution patch can be applied to all versions of eDiscovery 10.0.x.  These patches include Apache Log4j version 2.17.1. Only use the recommended versions of Log4j to mitigate this issue. 

Steps for eDiscovery Platform version 9.5.x

1. Download the eDiscovery_Platform_9.5.x_log4j_2.17.1_Patch.zip from the Veritas Download Center.
2. On the desktop of the eDiscovery server, open the Clearwell Utility and stop services using option #3.
3. Make a backup copy of the folder <EDP_INSTALL_DIR>\web
   Example: <EDP_INSTALL_DIR> = D:\CW\v95\web
4. Make a backup of the file <EDP_INSTALL_DIR>\build.pl
5. Copy the contents of the patch binaries folder to the <EDP_INSTALL_DIR> and overwrite existing files.
6. Delete the following 3 files from the <EDP_INSTALL_DIR>\web\apps\WEB-INF\lib folder:
   1. If the log4j 2.16.0 patch has not already been applied:
      log4j-1.2-api-2.12.1.jar
      log4j-api-2.12.1.jar
      log4j-core-2.12.1.jar
   2. If the log4j 2.16.0 patch has already been applied:
      log4j-1.2-api-2.16.0.jar
      log4j-api-2.16.0.jar
      log4j-core-2.16.0.jar
7. Open the folder  <EDP_INSTALL_DIR>\config\configs
   1. Make a backup copy of the default.properties file
   2. If the log4j 2.16.0 patch has not already been applied:
      Replace all occurrences of the text log4j-1.2-api-2.12.1.jar with log4j-1.2-api-2.17.1.jar
      Replace all occurrences of the text log4j-api-2.12.1.jar with log4j-api-2.17.1.jar
      Replace all occurrences of the text log4j-core-2.12.1.jar with log4j-core-2.17.1.jar
      Save the updated file.
   3. If the log4j 2.16.0 patch has already been applied:
      Replace all the occurrences of the text log4j-1.2-api-2.16.0.jar with log4j-1.2-api-2.17.1.jar
      Replace all the occurrences of the text log4j-api-2.16.0.jar with log4j-api-2.17.1.jar
      Replace all the occurrences of the text log4j-core-2.16.0.jar with log4j-core-2.17.1.jar
      Save the updated file.
8. Open the Clearwell Utility and run option #7 to deploy the changed default.properties file and start eDiscovery services.

Steps for eDiscovery Platform version 10.0.x

1. Download the eDiscovery_Platform_10.0.x_log4j_2.17.1_Patch.zip from the Veritas Download Center.
2. On the desktop of the eDiscovery server, open the Clearwell Utility and stop services using option #3.
3. Make a backup of the folder <EDP_INSTALL_DIR>\web
   Example: <EDP_INSTALL_DIR> = D:\CW\v100\web
4. Make a backup copy of the file <EDP_INSTALL_DIR>\build.pl
5. Copy the contents of the patch binaries folder to the <EDP_INSTALL_DIR> and overwrite existing files.
6. Delete the following 3 files from <EDP_INSTALL_DIR>\web\app\WEB-INF\lib
   1. If the log4j 2.16.0 patch has not already been applied:
      log4j-1.2-api-2.13.3.jar
      log4j-api-2.13.3.jar
      log4j-core-2.13.3.jar
   2. If the log4j 2.16.0 patch has already been applied:
      log4j-1.2-api-2.16.0.jar
      log4j-api-2.16.0.jar
      log4j-core-2.16.0.jar
7. Open the file <EDP_INSTALL_DIR>\config\configs\default.properties
   1. Make a backup copy of the default.properties file
   2. If the log4j 2.16.0 patch has not already been applied:
      Replace all the occurrences of the text log4j-1.2-api-2.13.3.jar with log4j-1.2-api-2.17.1.jar
      Replace all the occurrences of the text log4j-api-2.13.3.jar with log4j-api-2.17.1.jar
      Replace all the occurrences of the text log4j-core-2.13.3.jar with log4j-core-2.17.1.jar
      Save the updated file.
   3. If the log4j 2.16.0 patch has already been applied:
      Replace all the occurrences of the text log4j-1.2-api-2.16.0.jar with log4j-1.2-api-2.17.1.jar
      Replace all the occurrences of the text log4j-api-2.16.0.jar with log4j-api-2.17.1.jar
      Replace all the occurrences of the text log4j-core-2.16.0.jar with log4j-core-2.17.1.jar
      Save the updated file.
8. Open the Clearwell Utility and run option #7 to deploy the changed default.properties file and start eDiscovery service.

Steps for eDiscovery Platform version 10.1

Customers running eDiscovery Platform version 10.1 can upgrade to the 10.1.1 release. This release provides complete mitigation of Log4j vulnerability by upgrading to Log4j 2.17.1 and to the latest PrizmDoc libraries which contain Log4j 2.17.1.  

The release can be downloaded from Veritas Download Center. https://www.veritas.com/support/en_US/downloads/update.UPD923471 

Note:  If the previous remediation patch of upgrading to log4j 2.16.0 was applied to eDiscovery version 10.1, this patch must be removed prior to upgrading to the eDiscovery 10.1.1  release.

To revert to the original log4j 2.13.3 libraries prior to upgrading to 10.1.1:

• Rename the folder <EDP_INSTALL_DIR>\web
• Rename the file <EDP_INSTALL_DIR>\build.pl
• Rename the file <EDP_INSTALL_DIR>\config\configs\default.properties
• Restore the <EDP_INSTALL_DIR>\web folder from the backup made in the previous remediation steps.
• Restore the <EDP_INSTALL_DIR>\build.pl file from the backup made in the previous remediation steps
• Restore the <EDP_INSTALL_DIR>\config\configs\default.properties from the backup made in the previous remediation steps.

Questions 

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support) 

NOTE: This document is being reviewed  frequently and this note will be updated once all affected versions have been identified and mitigations options have been verified. 

Revision History (latest updates on top)

• Additional Vulnerabilities and their impacted added in the article. New Solution Patches for eDiscovery Platform 9.5.x and 10.0.x using 2.17.1 are released and updated. eDiscovery Platform 10.1.1 released, it has complete mitigation of vulnerability using Log4j 2.17.1 across all part of the product - Feb 14, 2022 
• The mitigation procedure of removing the JndiLookup.class file from the log4j-core JAR file has been removed after further testing that the log4j to 2.16.0 solution can be applied to all eDiscovery Platform versions 9.5.0 and above - Dec 23, 2021
• Solution patch to upgrade to Apache log4j 2.16.0 released for versions 9.5.2, 10.0.2 and 10.1 - Dec 20, 2021
• Updated mitigation steps based on latest changes in CVE-2021-44228 and CVE-2021-45046 - Dec 15, 2021
• Removed the references of Accusoft PrizmDoc and VIC as they are not affected - Dec 14, 2021
• Initial response regarding CVE-2021-44228 - Dec 10, 2021

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.