Updated (Dec 16, 2021): To include discussion of CVE-2021-45046.
Updated (Dec 19, 2021): To include discussion of CVE-2021-45105.
Updated (Dec 20, 2021): To include discussion of CVE-2021-4104.
Updated (Dec 29, 2021): To include discussion of CVE-2021-44832.
Updated (Feb 01, 2022): To include discussion of CVE-2019-17571.
Precisely is aware of the zero-day exploit (CVE-2021-44228) in the Java logging library Log4j.
LAE (all versions):
No impact (Only uses log4j 1.2 which is not impacted by this exploit)
Analyze <= 3.6.8:
No impact (Analyze only uses log4j 1.2 which is not impacted by this exploit)
Analyze 3.8.0 - 3.8.2:
No impact. Log4j 2.X api is shipped, however, log4j-core is not which is the jar with the vulnerability.
Analyze 3.8.3:
Log4j 2.X core is shipped and used by the Excel nodes. Attack vector seems extremely unlikely.
Note: The above statements reflects the software as it is shipped by Precisely. If you have added other code (for example JDBC drivers not shipped with the product) these should be separately validated by your internal IT team.
Note: Analyze is not vulnerable to CVE-2021-45105 as it does not use Context Lookups.
Note: No version of Analyze or LAE is vulnerable to CVE-2021-4104 as the JMS Appender is not used.
Note: No version of Analyze or LAE is vulnerable to CVE-2021-44832 as JDBC Appender is not used.
Note: No version of Analyze or LAE is vulnerable to CVE-2019-17571 as the SocketServer is not configured or used. To provide additional assurance, in the next maintenance release (Analyze 3.8.5) we will be releasing a stripped down version of the log4j-1.2.17 jar which does not contain the SocketServer class or the JMSAppender class. These changes will also be applied to the next LTS release (Analyze 3.10). The in Analyze 3.12 release cycle we will be upgrading (or removing altogether TBD) log4j to log4j2.
REMEDIATION
There are two options available to address the vulnerability in Analyze 3.8.3:
1. Upgrade to Analyze 3.8.4. This release includes log4j-core 2.16 with fixes for both recently identified issues (CVE-2021-44228 and CVE-2021-45046).
2. Hotfix. Download the following file, and unzip it, then follow the included instructions to apply the fix. https://analyzeinstaller.infogix.com/Data360_Analyze383/Hotfixes/LAE-27610-log4j-security-fix/LAE-27610+Log4j+patch.zip.
Comments
0 comments
Please sign in to leave a comment.