Impact of Apache Log4j Vulnerabilities on Enterprise Vault.cloud

Impact of Apache Log4j Vulnerabilities on Enterprise Vault.cloud

Article: 100052069
Last Published: 2021-12-20
Ratings: 1 0
Product(s): Enterprise Vault.cloud

Summary

Apache has published multiple vulnerabilities and their mitigation steps as part of their announcement. As part of this article, we are tracking the following vulnerabilities and their impact on Enterprise Vault.Cloud. 

While this issue has been resolved in Log4j 2.17.0, compatibility and installation of this version is still under investigation. 

CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.  

  • Severity: Critical  

  • Base CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 

  • Affected Log4j Versions: All versions from 2.0-beta9 to 2.14.1 

CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations 

  • Security: Critical 

  • Base CVSS Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) 

  • Affected Log4j Versions: All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation 

  • Security: High 

  • Base CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

  • Affected Log4j Versions: All versions from 2.0-beta9 to 2.16.0 

Impact

Enterprise Vault.cloud core components do not use the Log4j2 component and therefore are not affected by this vulnerability.  However, Enterprise Vault.cloud uses the third-party component called Elasticsearch version 7.12.1 which internally uses Log4j 2x. 

As officially stated by Elastic in their announcement here, above mentioned vulnerabilities are not exploitable for Elasticsearch 7.12+.   

As an additional precaution recommend by Elastic, we have already set JVM Option to true: Dlog4j2.formatMsgNoLookups=true 

 

NOTE: Veritas Advanced Supervision (VAS), Veritas Information Classifier (VIC), and Merge1 are not impacted by this vulnerability and require no mitigation when used in association with Enterprise Vault.cloud.

Mitigation  

There are no further mitigation steps required for Enterprise Vault.cloud. 

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Was this content helpful?