Aternity's Response to Apache's Log4j Exploits CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104 and CVE-2021-44832

Is Aternity Impacted?
There are some Aternity (EUE & APM SaaS, EUE OnPrem, EUE Mac Agent) and 3rd party components which utilize log4j v2 that may be impacted by this vulnerability.

What's Being Done to Mitigate the Vulnerability?
Aternity EUE SaaS Not Vulnerable
The components of SaaS have been updated in accordance with Apache's mitigation techniques to mitigate the risk of CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. Our security team rolled out changes to all production environments to address those vulnerabilities. We have upgraded all components to log4j 2.17.0.

EUE SaaS is also not vulnerable to CVE-2021-4104. The vulnerability targets JMSAppender, which is not used on any of its servers and therefore not at risk for this vulnerability.

To further strengthen the security and mitigate the risk, we've applied additional patches to components that we've found to be potentially exploited by these vulnerabilities and introduced additional security measures like enabling specific AWS WAF protection rules on our SaaS environment which mitigates the risk for any query parameter and known headers.

Aternity maintains an ISO 27001 certified vulnerability management and access management programs. As part of this program, we have reviewed impact of CVE-2021-44832 within our environment and products and have confirmed that our platform is not vulnerable because no external entities have control of any Aternity systems, — a key requirement for the weakness to be exposed.

The SaaS platform remains secured against known log4j-related exploits.

Aternity APM SaaS Not Vulnerable
Our Java-based WebUI does not use log4j and is not at risk for these vulnerabilities.

Aternity EUE OnPrem
If your environment is accessible from outside your network, as an interim step, it is recommended to apply firewall rules to block external access to reduce risk arising from external sources.
Please see a dedicated detailed page for EUE OnPrem status - Aternity EUE OnPrem mitigation for Apache's Log4j Exploits CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104 and CVE-2021-44832

CVE-2021-4104 Not Vulnerable The servers are not affected by this vulnerability. The vulnerability targets JMSAppender, which is not used by the Aternity Platform on any of its servers and therefore not at risk for this vulnerability.

CVE-2021-44832 Under Investigation We are currently investigating if there is any impact to our OnPrem environment servers.
Aternity APM OnPrem Not Vulnerable
The two Java-based components on our v11.x and later OnPrem Analysis Server are the WebUI and tag server. We've determined that both do not use log4j and therefore are not at risk for this vulnerability. Analysis Server v10.x does not use any affected versions of log4j and therefore is not at risk for these vulnerabilities.

Aternity EUE Agents
Aternity APM Agent Not Vulnerable
The APM agent is not vulnerable to any of the listed CVEs, including CVE-2021-4104. CVE-2021-4104 targets JMSAppender, which is not used in the agent and therefore not at risk for this vulnerability.

As part of Aternity's commitment to security, while the APM agent does not use any affected versions of log4j that are impacted by the listed vulnerabilities, we have released versions 11.8.8 and 12.15.0.518 which removes log4j v1 and updates log4j v2 to 2.17.1 on both Windows and Linux agents. To obtain these latest versions, please reach out to Riverbed TAC to request the packages.

Aternity EUE Tools Not Vulnerable
Recorder, Designer, and Harman Admin Console are not at risk or impacted by these vulnerabilities.

Aternity SaaS and OnPremise