Translation Notice
Please note that this content includes text that has been machine-translated from English. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.
SecurityFix_ DataInsight_6.2_ ApacheLog4j
Abstract
Description
This security fix is for DataInsight 6.2 to address the vulnerabilities as per the security advisory released by Apache Software Foundation to address following vulnerabilities affecting Log4j versions 2.0-beta9 to 2.15:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.
- CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
- CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
Date: 2021-12-22
OS: Windows and Linux
Errors/Problems Fixed:
CFT-4258 - [DI]Log4j security vulnerability tasks
Vulnerabilities addressed CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105
About CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Apache Log4j Vulnerability
Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228)
, a vulnerability to Thread Context Lookup Pattern in the previous fix (CVE-2021-45046) and a denial of service vulnerability (CVE-2021-45105)
on affecting Log4j versions 2.0-beta9 to 2.16.0 . A remote attacker could exploit these vulnerabilities to take control of an affected system.
Issue
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
Severity: Critical
Base CVSS Score: 9.0
CVSS: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
Severity: High
Base CVSS Score: 7.5
CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Install/Uninstall Instructions:
Perform the following steps in all Data Insight Management Server and all server nodes.
Please note: If any of the previous DataInsight Log4j patch HAS NOT been applied follow SECTION 1 ONLY.
Else if the previous DataInsight Log4j patch has been applied follow SECTION 2 ONLY.
SECTION I: If any of the previous Log4j patches HAS NOT been applied.
FILE AFFECTED BY THIS PATCH:
By default, the value of INSTALL_ROOT on Windows is "C:\Program Files\DataInsight"
Windows:
C:\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\log4j-1.2.17.jar
C:\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\log4j-api-2.13.3.jar
C:\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\log4j-core-2.6.2.jar
C:\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\log4j-to-slf4j-2.13.3.jar
C:\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\slf4j-log4j12-1.7.30.jar
C:\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\log4j-1.2.17.jar
C:\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\log4j-api-2.13.3.jar
C:\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\log4j-core-2.6.2.jar
C:\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\log4j-to-slf4j-2.13.3.jar
C:\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\slf4j-log4j12-1.7.30.jar
C:\Program Files\DataInsight\connectors\onedrive\dcConnectorOneDrive.jar
C:\Program Files\DataInsight\connectors\sponline\dcConnectorSharePointOnline.jar
By default, value of INSTALL_ROOT on Linux is "/opt/DataInsight".
Linux:
/opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/log4j-1.2.17.jar
/opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/log4j-api-2.13.3.jar
/opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/log4j-core-2.6.2.jar
/opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/log4j-to-slf4j-2.13.3.jar
/opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/slf4j-log4j12-1.7.30.jar
/opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/log4j-1.2.17.jar
/opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/log4j-api-2.13.3.jar
/opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/log4j-core-2.6.2.jar
/opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/log4j-to-slf4j-2.13.3.jar
/opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/slf4j-log4j12-1.7.30.jar
/opt/DataInsight/connectors/onedrive/dcConnectorOneDrive.jar
/opt/DataInsight/connectors/sponline/dcConnectorSharePointOnline.jar
STEPS:
Log into Data Insight Server and perform the following steps:
1. Unzip the patch files to a temporary folder. In this folder, locate the
"patches" folder. This folder contains all files for help application.
Example: If you unzip hotfix to C:\temp, it will create the following folder
under C:\temp:
C:\TEMP\
+---README
+---patches\Linux
+---patches\Windows
2. For Windows:
a. Start the 64-bit version of either Windows PowerShell or Windows PowerShell ISE with the "Run as administrator" option.
The version of PowerShell must be 3.0 or later. You can determine the version that you are running by typing the following at the PowerShell prompt:
$PSVersionTable.PSVersion
b. It is strongly recommended to use PowerShell script for installation of this hotfix.
i. Run PowerShell cmdlet which enables all the scripts need to be signed for execution:
Set-ExecutionPolicy AllSigned
ii. Check Execution Policy is set to AllSigned using the below cmdlet:
Get-ExecutionPolicy
iii. Run Powershell Script:
.\DIHFInstaller.ps1
c. Run PowerShell script DIHFInstaller.ps1. This script does the following:
i. Stops all Data Insight services.
ii. Takes backup of existing binaries.
iii. Deletes vulnerable jars.
iv. Installs required jars.
v. Brings the Data Insight services online.
3. For Linux:
Perform the below steps manually.
a. Stop all DataInsight services.
b. Take a backup of below jars from the aforementioned paths </opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/> AND
</opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib> :
i. log4j-1.2.17.jar
ii. log4j-api-2.13.3.jar
iii.log4j-core-2.6.2.jar
iv. log4j-to-slf4j-2.13.3.jar
v. slf4j-log4j12-1.7.30.jar
c. Take a backup of below files from below location.
/opt/DataInsight/connectors/onedrive/dcConnectorOneDrive.jar
/opt/DataInsight/connectors/sponline/dcConnectorSharePointOnline.jar
d. Delete the following jar files from the aforementioned paths </opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/> AND
</opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib>:
i. log4j-1.2.17.jar
ii. log4j-api-2.13.3.jar
iii.log4j-core-2.6.2.jar
iv. log4j-to-slf4j-2.13.3.jar
v. slf4j-log4j12-1.7.30.jar
e. Add the following jar files from HOTFIX_Files to location </opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/> AND
</opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/>
i.log4j-api-2.17.0.jar
ii.log4j-core-2.17.0.jar
iii.slf4j-simple-1.7.30.jar
f. Replace following jar files from the jar files in Hotfix_Files/connectors
/opt/DataInsight/connectors/onedrive/dcConnectorOneDrive.jar
/opt/DataInsight/connectors/sponline/dcConnectorSharePointOnline.jar
g. Start all DataInsight services.
Additional Notes:
1. Apply this hotfix to Data Insight 6.2 or 6.2HF1 or 6.2HF2.
2. If a new Data Insight node is added later, this hotfix needs to be applied.
===================================================================================================================================================================================
SECTION II: If the previous Log4j patch has been applied.
FILE AFFECTED BY THIS PATCH:
By default, value of INSTALL_ROOT on Windows is "C:\Program Files\DataInsight"
Windows:
C:\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\log4j-api-2.16.0.jar
C:\Program Files\DataInsight\portal_tomcat\webapps\symhelp\WEB-INF\lib\log4j-core-2.16.0.jar
C:\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\log4j-api-2.16.0.jar
C:\Program Files\DataInsight\tomcat\webapps\symhelp\WEB-INF\lib\log4j-core-2.16.0.jar
By default, value of INSTALL_ROOT on Linux is "/opt/DataInsight".
Linux:
/opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/log4j-api-2.16.0.jar
/opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/log4j-core-2.16.0.jar
/opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/log4j-api-2.16.0.jar
/opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/log4j-core-2.16.0.jar
STEPS:
Log into Data Insight Server and perform the following steps:
1. Unzip the patch files to a temporary folder. In this folder, locate the
"patches" folder. This folder contains all files for help application.
Example: If you unzip hotfix to C:\temp, it will create the following folder
under C:\temp:
C:\TEMP\
+---README
+---patches\Linux
+---patches\Windows
2. For Windows:
a. Start the 64-bit version of either Windows PowerShell or Windows PowerShell ISE with the "Run as administrator" option.
The version of PowerShell must be 3.0 or later. You can determine the version that you are running by typing the following at the PowerShell prompt:
$PSVersionTable.PSVersion
b. It is strongly recommended to use PowerShell script for installation of this hotfix.
i. Run PowerShell cmdlet which enables all Scripts need to be signed for execution:
Set-ExecutionPolicy AllSigned
ii. Check Execution Policy is set to AllSigned using below cmdlet:
Get-ExecutionPolicy
iii. Run Powershell Script:
.\DIHFInstaller.ps1
c. Run PowerShell script DIHFInstaller.ps1. This script does the following:
i. Stops all Data Insight services.
ii. Takes backup of existing binaries.
iii. Deletes vulnerable jars.
iv. Installs required jars.
v. Brings the Data Insight services online.
3. For Linux:
Perform the below steps manually.
a. Stop all DataInsight services.
b. Take a backup of below jars from the aforementioned paths </opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/> AND
</opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib> :
i. log4j-api-2.16.0.jar
ii.log4j-core-2.16.0.jar
c. Delete the following jar files from the aforementioned paths </opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/> AND
</opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib>:
i. log4j-api-2.16.0.jar
ii.log4j-core-2.16.0.jar
d. Add the following jar files from HOTFIX_Files to location </opt/DataInsight/tomcat/webapps/symhelp/WEB-INF/lib/> AND
</opt/DataInsight/portal_tomcat/webapps/symhelp/WEB-INF/lib/>
i.log4j-api-2.17.0.jar
ii.log4j-core-2.17.0.jar
e. Start all DataInsight services.
Additional Notes:
1. Apply this hotfix to Data Insight 6.2 or 6.2HF1 or 6.2HF2.
2. If a new Data Insight node is added later, this hotfix needs to be applied.
Applies to the following product releases
Update files
|
|
File name | Description | Version | Platform | Size |
|---|