We recommend switching to the latest versions of Edge, Firefox, Chrome or Safari. Using Internet Explorer will result in a loss of website functionality.
Our Support systems migrated on Saturday, May 21. We'll automatically forward you to the new location for this content.

Controls Products: Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and CVE-2021-45105

Follow

Comments

11 comments

  • Avatar
    Bill Brown

    What about CVE-2021-4104? Do 9.3 versions of Infogix and below require an update at this time to address? Our security teams are advising and requiring that all software using any versions of Log4J be immediately remediated to 2.16.0 or later.

    https://access.redhat.com/security/cve/CVE-2021-4104

    0
    Comment actions Permalink
  • Avatar
    Bill Brown

    Additionally, our security team at US Bank is requesting that we report what versions of log4j are being used in the applications. Are you able to provide those for Assure/ER/Perceive 9.3 so we can report back?

    0
    Comment actions Permalink
  • Avatar
    Gerard Cafaro

    Version 9.3 uses log4j v1.2.15. I checked with our Engineering and Security teams: the products leverage a configuration that is not vulnerable to CVE-2021-4104.

    0
    Comment actions Permalink
  • Avatar
    Charlie Matos

    Does the log4j vulnerabilities in the cases below affects Infogix Insight or Assure version 9.4 ?

    CVE-2021-45105

    CVE-2021-45046

     

    0
    Comment actions Permalink
  • Avatar
    Gerard Cafaro

    CVE-2021-45046 only impacts Perceive 9.4 and is patched in the same patch as CVE-2021-44228: Perceive 9.4 Patch: IV-9.4-9684-2 – Infogix

    CVE-2021-45105 is under review by our internal teams, but I do have some preliminary information to share. Assure, Insight and ER don't meet the log4j version requirements for the CVE. No action is needed for Assure, Insight and ER. Perceive meets the log4j version requirement in Perceive 9.4; however, the other requirements for the CVE are being reviewed to determine if there is no impact or if an additional Perceive patch is required.

    0
    Comment actions Permalink
  • Avatar
    Bjorn Illerstad1

    Jeffery Brown could you also please confirm, that Assure, Visibility, and Insight are both not affected by CVE-2021-4104?

    0
    Comment actions Permalink
  • Avatar
    Gerard Cafaro

    Assure, Insight, Perceive, ER and Visibility API aren't impacted by CVE-2021-4104. A requirement for the vulnerability is use of JMSAppender, which isn't utilized by the products.

    0
    Comment actions Permalink
  • Avatar
    Gerard Cafaro

    The article body has been updated to include the following CVE's discussed in the article comments: CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and CVE-2021-45105.

    There has also been a new Perceive 9.4 patch (IV-9.4-9684-3) released for CVE-2021-45105. Perceive 9.4 is the only product/version combination within Assure, Insight, Perceive, ER and Visibility API that could have been impacted by CVE-2021-45105. 

    0
    Comment actions Permalink
  • Avatar
    Jeffery Brown

    For releases 9.3 and 9.4, there is a patch that will be available by February 11 that will address the Log4j1.x vulnerabilities by removing the class associated with CVE-2021-4104.  The patch will also update the customized Log4j1, which will be a modified 1.2.17, to also remove the classes and packages for the CVE-2022 vulnerabilities (CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307) which were also never configured for use in the system.

    0
    Comment actions Permalink
  • Avatar
    Jeff Fleck

    I am confused by the last comment which says 

    "For releases 9.3 and 9.4, there is a patch that will be available by February 11 that will address the Log4j1.x vulnerabilities by removing the class associated with CVE-2021-4104."

    Earlier it was said that

    "Assure, Insight, Perceive, ER and Visibility API aren't impacted by CVE-2021-4104. A requirement for the vulnerability is use of JMSAppender, which isn't utilized by the products."

    So which is it??  Are there vulnerabilities and impacts or not?  We are on release 9.2.  If there truly is a vulnerability, can we please get a patch to this version also?

    thanks

    0
    Comment actions Permalink
  • Avatar
    Matthew Kennedy

    Hi Jeff,

    The application is not affected by the CVE-2021-4104 vulnerability. The patch removes the JMSAppender all together ( despite the application never utilizing it ).

    That being said, there is a v9.3 / v9.4 patch that removes this JMSAppender class.

    Platform 9.3 Patch: IPS-9.3-14675-5 – Infogix

    Platform 9.4 Patch: IPS-9.4-15056-1 – Infogix

    For customers on earlier versions ( v9.2 included ) we recommend upgrading to the latest, in support, product release.

    Assure DQ, Insight, Perceive and ER Product Support Lifecycle – Infogix

    Matthew Kennedy

    0
    Comment actions Permalink

Please sign in to leave a comment.