Aternity's Response to Apache's Log4j Exploits CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104 and CVE-2021-44832

Solution Number:
S35643
Last Modified:
2022-02-24
Issue
[Last Updated Feb 24, 2022 11:30 a.m. EST]

What is the issue?

On Dec 9, a remote code execution vulnerability in Apache log4j was announced (CVE-2021-44228). Since the initial CVE, there have subsequent CVEs announced.
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-45105

https://nvd.nist.gov/vuln/detail/CVE-2021-4104
https://nvd.nist.gov/vuln/detail/CVE-2021-44832
https://www.lunasec.io/docs/blog/log4j-zero-day/


Is Aternity Impacted?
There are some Aternity (EUE & APM SaaS, EUE OnPrem, EUE Mac Agent) and 3rd party components which utilize log4j v2 that may be impacted by this vulnerability.
Solution
What's Being Done to Mitigate the Vulnerability?
Aternity takes security seriously and understands its significance to our customers. We are working on assessing these vulnerabilities.

Aternity EUE SaaS Not Vulnerable
The components of SaaS have been updated in accordance with Apache's mitigation techniques to mitigate the risk of CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. Our security team rolled out changes to all production environments to address those vulnerabilities. We have upgraded all components to log4j 2.17.0.

EUE SaaS is also not vulnerable to CVE-2021-4104. The vulnerability targets JMSAppender, which is not used on any of its servers and therefore not at risk for this vulnerability.

To further strengthen the security and mitigate the risk, we've applied additional patches to components that we've found to be potentially exploited by these vulnerabilities and introduced additional security measures like enabling specific AWS WAF protection rules on our SaaS environment which mitigates the risk for any query parameter and known headers.

Aternity maintains an ISO 27001 certified vulnerability management and access management programs. As part of this program, we have reviewed impact of CVE-2021-44832 within our environment and products and have confirmed that our platform is not vulnerable because no external entities have control of any Aternity systems, — a key requirement for the weakness to be exposed.

The SaaS platform remains secured against known log4j-related exploits.

Aternity APM SaaS Not Vulnerable
Our Java-based WebUI does not use log4j and is not at risk for these vulnerabilities.

Aternity EUE OnPrem
If your environment is accessible from outside your network, as an interim step, it is recommended to apply firewall rules to block external access to reduce risk arising from external sources.
Please see a dedicated detailed page for EUE OnPrem status - Aternity EUE OnPrem mitigation for Apache's Log4j Exploits CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104 and CVE-2021-44832

CVE-2021-4104 Not Vulnerable The servers are not affected by this vulnerability. The vulnerability targets JMSAppender, which is not used by the Aternity Platform on any of its servers and therefore not at risk for this vulnerability.

CVE-2021-44832 Under Investigation We are currently investigating if there is any impact to our OnPrem environment servers.

Aternity Windows Component Servers
CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Not Vulnerable MGMT, DW, Aggregation, and Dashboards Gateway servers do not use a version of log4j that is vulnerable to these CVEs.
 
OEM components
Vertica Not Vulnerable Vertica has stated that the Management Console and Kafka Scheduler are impacted however Aternity does not install Management Console or use Kafka Scheduler as part of our implementation and therefore not vulnerable. More information can be found here.

Kafka (Vertica & Docker) Not Vulnerable Apache Kafka has investigated and found that the usage of log4j is not vulnerable. Aternity also has no connector plugin which utilizes Kafka's log4j and therefore not vulnerable. More information can be found here. Apache Kafka is not intending to release a patch at this time. We will continue to monitor for updates to this.

Oracle Not Vulnerable Oracle has investigated and determined that Oracle DB is not affected by these vulnerabilities. More information can be found here. Oracle is not intending to release a patch at this time. We will continue to monitor for updates to this.
 

Docker Components

Aternity APM OnPrem Not Vulnerable
The two Java-based components on our v11.x and later OnPrem Analysis Server are the WebUI and tag server. We've determined that both do not use log4j and therefore are not at risk for this vulnerability. Analysis Server v10.x does not use any affected versions of log4j and therefore is not at risk for these vulnerabilities.

Aternity EUE Agents
Windows: Not Vulnerable - It does not utilize log4j so it is not vulnerable to these vulnerabilities.
Mac:
CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 Fixed Please see Aternity EUE Mac Agent Status regarding Apache's Log4j Exploits CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105
CVE-2021-4104 Not Vulnerable The Mac agent does not use JMSAppender, which is the target of this vulnerability and therefore not at risk for this vulnerability.

Aternity APM Agent Not Vulnerable
The APM agent is not vulnerable to any of the listed CVEs, including CVE-2021-4104. CVE-2021-4104 targets JMSAppender, which is not used in the agent and therefore not at risk for this vulnerability.

As part of Aternity's commitment to security, while the APM agent does not use any affected versions of log4j that are impacted by the listed vulnerabilities, we have released versions 11.8.8 and 12.15.0.518 which removes log4j v1 and updates log4j v2 to 2.17.1 on both Windows and Linux agents. To obtain these latest versions, please reach out to Riverbed TAC to request the packages.

Aternity EUE Tools Not Vulnerable
Recorder, Designer, and Harman Admin Console are not at risk or impacted by these vulnerabilities.
Environment
Aternity SaaS and OnPremise
Attachments
Oracle CVE-2021-44228 and CVE-2021-45046.pdf
379K • 1 minute(s) @ 56k, < 1 minute @ broadband


NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case