Impact of CVE-2021-44228 and Related Apache Log4j Vulnerabilities on Veritas APTARE IT Analytics and mitigation steps

Article: 100052081
Last Published: 2022-01-12
Ratings: 2 1
Product(s): APTARE IT Analytics

About Apache Log4j Vulnerabilities

Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. The Apache Software Foundation has released a number of security advisories recently to address vulnerabilities affecting Log4j versions 2.0-beta9 to 2.17.0. The specific vulnerabilities are detailed below.

More information is available from the Apache Announcement which recommends upgrading to the latest Log4j 2.17.1.  Aptare IT Analytics will be including this version in the upcoming Patch Releases 10.6 P9 and 10.5 P14.

Issues (in chronological order of announcement)

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

Severity: Critical - Base CVSS Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

 

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

Severity: Critical - Base CVSS score 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

 

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

Severity: Moderate - Base CVSS Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.

Severity: Moderate - Base CVSS Score: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

 


Affected Versions

The following versions of APTARE IT Analytics are affected by these vulnerabilities:

Product

Versions

Affected by

Resolution

Veritas APTARE IT Analytics

10.5 P12 and earlier; 10.6 P7 and earlier

CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832

Upgrade to 10.5 P13 (or later) or 10.6 P8 (or later)

 

Veritas APTARE IT Analytics

10.5 P13; 10.6 P8

CVE-2021-45105, CVE-2021-44832

Upgrade to 10.5 P14 (or later) or 10.6 P9 (or later)

Veritas APTARE IT Analytics

10.4 and earlier

None

No vulnerabilities reported. These versions don’t use log4j 2.x but do use log4j1.x (which is now at end of life).  One vulnerability (CVE-2021-4104) that applies to log4j1.x does not apply to Aptare since the product does not use JMSAppender

 

Links to download Patch Release with Full Remediation:

10.5 P14 - https://www.veritas.com/support/en_US/downloads/update.UPD924388

10.6 P9 - https://www.veritas.com/support/en_US/downloads/update.UPD924445

 

Note that there may be log4j 2.16.0, 2.13.3 or older jar files remaining in the Aptare folder after the patch has been applied. These are not used, and except for the files under the Oracle directory, can safely be deleted if necessary. The Oracle database is not vulnerable to these security findings, and older jar files will be removed when the October 2021 quarterly patch is installed.


Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. 

 

 

 

Was this content helpful?