Impact of CVE-2021-44228 and Related Apache Log4j Vulnerabilities on Veritas APTARE IT Analytics and mitigation steps
About Apache Log4j Vulnerabilities
Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. The Apache Software Foundation has released a number of security advisories recently to address vulnerabilities affecting Log4j versions 2.0-beta9 to 2.17.0. The specific vulnerabilities are detailed below.
More information is available from the Apache Announcement which recommends upgrading to the latest Log4j 2.17.1. Aptare IT Analytics will be including this version in the upcoming Patch Releases 10.6 P9 and 10.5 P14.
Issues (in chronological order of announcement)
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical - Base CVSS Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
Severity: Critical - Base CVSS score 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
Severity: Moderate - Base CVSS Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
Severity: Moderate - Base CVSS Score: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Versions
The following versions of APTARE IT Analytics are affected by these vulnerabilities:
Product |
Versions |
Affected by |
Resolution |
Veritas APTARE IT Analytics |
10.5 P12 and earlier; 10.6 P7 and earlier |
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 |
Upgrade to 10.5 P13 (or later) or 10.6 P8 (or later)
|
Veritas APTARE IT Analytics |
10.5 P13; 10.6 P8 |
CVE-2021-45105, CVE-2021-44832 |
Upgrade to 10.5 P14 (or later) or 10.6 P9 (or later) |
Veritas APTARE IT Analytics |
10.4 and earlier |
None |
No vulnerabilities reported. These versions don’t use log4j 2.x but do use log4j1.x (which is now at end of life). One vulnerability (CVE-2021-4104) that applies to log4j1.x does not apply to Aptare since the product does not use JMSAppender
|
Links to download Patch Release with Full Remediation:
10.5 P14 - https://www.veritas.com/content/support/en_US/downloads/update.UPD924388
10.6 P9 - https://www.veritas.com/content/support/en_US/downloads/update.UPD924445
Note that there may be log4j 2.16.0, 2.13.3 or older jar files remaining in the Aptare folder after the patch has been applied. These are not used, and except for the files under the Oracle directory, can safely be deleted if necessary. The Oracle database is not vulnerable to these security findings, and older jar files will be removed when the October 2021 quarterly patch is installed.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.