Impact of Apache Log4j Vulnerability on eDiscovery Platform

Impact of Apache Log4j Vulnerability on eDiscovery Platform

Article: 100052068
Last Published: 2022-01-19
Ratings: 14 9
Product(s): eDiscovery Platform

Summary 

Apache has published multiple vulnerabilities and their mitigation steps as part of their announcement. As part of this article, we are tracking the following vulnerabilities and their impact to the eDiscovery Platform.

CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.  

  • Severity: Critical
  • Base CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • Affected Log4j Versions: All versions from 2.0-beta9 to 2.14.1 

CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations 

  • Severity: Critical
  • Base CVSS Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • Affected Log4j Versions: All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation 

  • Severity: High
  • Base CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Affected Log4j Versions: All versions from 2.0-beta9 to 2.16.0 

 

Impact

In eDiscovery Platform 9.5 and above, Log4J 2.x has been used as a third-party component for logging purposes.  

CVE-2021-44228 & CVE-2021-45046 

  • Customers running eDiscovery Platform version 9.5.0, 9.5.1, 10.0.0 or 10.0.1 are strongly advised to implement the mitigation steps listed in this article below.
  • As an additional measure of safety, customer are encouraged to upgrade their 9.5.0, 9.5.1, 10.0.0 and 10.0.1 environments to latest maintenance releases (9.5.2 or 10.0.2) and use the Solution mentioned below.
  • Customers running eDiscovery Platform version 10.1, are advised to use the Solution mentioned below. 

CVE-2021-45105 

  • No version of the eDiscovery Platform is impacted by the vulnerability raised in CVE-2021-45105.  While the eDiscovery Platform uses log4j-core-2.16.0, it does not use custom/non-default patterns mentioned in the CVE-2021-45105 attack description.  The log4j-core-2.16.0 disables access to JNDI by default.

Notes:

  • eDiscovery Platform versions prior to 9.5 uses Log4j Version 1.x without JMSAppender. As mentioned in the Apache advisory, Log4j 1.x configurations without JMSAppender are not impacted by the vulnerability tracked under CVE-2021-44228. The other two vulnerabilities are not applicable to Log4j Version 1.x.  Customers running an eDiscovery Platform version prior to 9.5.x do not  currently require any mitigation or solution for this vulnerability.
     
  • Vulnerability scans may also identify the following log4j files.  These files may be safely deleted.
    • D:\CW\V10\3rdparty\classes\log4j.jar  - Present in v9.5.x, v10.0.1 and v10.1
    • D:\CW\V10\3rdparty\apps\hibernate-3.2.7\lib\log4j-1.2.11.jar - Only present in v10.0.x and v10.1

     

Affected Versions 

eDiscovery Platform versions: 10.1, 10.0.2, 10.0.1, 10.0, 9.5.2, 9.5.1, 9.5.0

 

Resolution for eDiscovery Platform versions 9.5.x, 10.0.x and 10.1

Customers running eDiscovery Platform version 9.5.x, 10.0.x and 10.1 can use the Solution Patches available on Veritas Download Center link to remediate CVE-2021-44228 and CVE-2021-45046 in the impacted areas of the product. Apply the solution patch to all servers with eDiscovery Platforms installed, including Confirmation Servers and Utility Nodes.

NOTE: The 9.5.2 solution patch can be applied to all versions of eDiscovery 9.5.x.  The 10.0.2 solution patch can be applied to all versions of eDiscovery 10.0.x.  These patches include Apache Log4j version 2.16.0. Only use the recommended versions of Log4j to mitigate this issue. 



Steps for eDiscovery Platform version 9.5.x

  1. On the desktop of the eDiscovery server, open the Clearwell Utility and stop services using option #3.
  2. Make a backup copy of the folder <EDP_INSTALL_DIR>\web
    Example:  D:\CW\v95\web
  3. Make a backup of the file <EDP_INSTALL_DIR\build.pl
  4. Copy the contents of the patch binaries folder to the <EDP_INSTALL_DIR> and overwrite existing files.
  5. Delete the following 3 files from the <EDP_INSTALL_DIR>\web\apps\WEB-INF\lib folder:
    log4j-1.2-api-2.12.1.jar
    log4j-api-2.12.1.jar
    log4j-core-2.12.1.jar
  6. Open the folder  <EDP_INSTALL_DIR>\config\configs
    Make a backup copy of the default.properties file
    Replace all occurrences of the text log4j-1.2-api-2.12.1.jar with log4j-1.2-api-2.16.0.jar
    Replace all occurrences of the text log4j-api-2.12.1.jar with log4j-api-2.16.0.jar
    Replace all occurrences of the text log4j-core-2.12.1.jar with log4j-core-2.16.0.jar
    Save the updated file.
  7. Open the Clearwell Utility and run option #7 to deploy the changed default.properties file and start eDiscovery services.

Steps for eDiscovery Platform version 10.0.x

  1. On the desktop of the eDiscovery server, open the Clearwell Utility and stop services using option #3.
  2. Make a backup of the folder <EDP_INSTALL_DIR>\web
    Example: D:\CW\v100\web
  3. Make a backup copy of the file <EDP_INSTALL_DIR>\build.pl
  4. Copy the contents of the patch binaries folder to the <EDP_INSTALL_DIR> and overwrite existing files.
  5. Delete the following 3 files from <EDP_INSTALL_DIR>\web\app\WEB-INF\lib
    log4j-1.2-api-2.13.3.jar
    log4j-api-2.13.3.jar
    log4j-core-2.13.3.jar
  6. Open the file <EDP_INSTALL_DIR>\config\configs\default.properties
    Make a backup copy of the default.properties file
    Replace all the occurrences of the text log4j-1.2-api-2.13.3.jar with log4j-1.2-api-2.16.0.jar
    Replace all the occurrences of the text log4j-api-2.13.3.jar with log4j-api-2.16.0.jar
    Replace all the occurrences of the text log4j-core-2.13.3.jar with log4j-core-2.16.0.jar
    Save the updated file.
  7. Open the Clearwell Utility and run option #7 to deploy the changed default.properties file and start eDiscovery service.

Steps for eDiscovery Platform version 10.1

  1. On the desktop of the eDiscovery server, open the Clearwell Utility and stop services using option #3.
  2. Make a backup of the following folders:
    <EDP_INSTALL_DIR>\web
    <EDP_INSTALL_DIR>\3rdparty\vtas\ConversionUtilities
  3. Make a backup copy of the file <EDP_INSTALL_DIR>\build.pl 
  4. Copy all the files and folders within the "binaries" folder in the patch to <EDP_INSTALL_DIR>. and overwrite existing files.
  5.  Delete the following 3 files from <EDP_INSTALL_DIR>\web\app\WEB-INF\lib
    log4j-1.2-api-2.13.3.jar
    log4j-api-2.13.3.jar
    log4j-core-2.13.3.jar
  6. Open the file <EDP_INSTALL_DIR>\config\configs\default.properties
    Make a backup copy of the default.properties file
    Replace all the occurrences of the text log4j-1.2-api-2.13.3.jar with log4j-1.2-api-2.16.0.jar
    Replace all the occurrences of the text log4j-api-2.13.3.jar with log4j-api-2.16.0.jar
    Replace all the occurrences of the text log4j-core-2.13.3.jar with log4j-core-2.16.0.jar
    Save the updated file.
  7. Open the Clearwell Utility and run option #7 to deploy the changed default.properties file and start eDiscovery services.

Note: The log4j 2.16.0 resolution above includes a new log4j-core-2.16.0.jar file that contains an updated version of the JndiLookup.class file that has been modified to disable access to the JNDI vulnerability by default.  It is not necessary to utilize the mitigation steps to remove the log4j 2.16.0 version of the JndiLookup.class file from the log4j-core-2.16.0 jar file.

 

Questions 

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support

NOTE: This document is being reviewed  frequently and this note will be updated once all affected versions have been identified and mitigations options have been verified. 

 

Revision History (latest updates on top)

• The mitigation procedure of removing the JndiLookup.class file from the log4j-core JAR file has been removed after further testing that the log4j to 2.16.0 solution can be applied to all eDiscovery Platform versions 9.5.0 and above - Dec 23, 2021
• Solution patch to upgrade to Apache log4j 2.16.0 released for versions 9.5.2, 10.0.2 and 10.1 - Dec 20, 2021
• Updated mitigation steps based on latest changes in CVE-2021-44228 and CVE-2021-45046 - Dec 15, 2021
• Removed the references of Accusoft PrizmDoc and VIC as they are not affected - Dec 14, 2021
• Initial response regarding CVE-2021-44228 - Dec 10, 2021

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Was this content helpful?