What's Being Done to Mitigate the Vulnerability?
Aternity takes security seriously and understands its significance to our customers. We are working on assessing these vulnerabilities.
Aternity EUE SaaS Not Vulnerable
The components of SaaS have been updated in accordance with Apache's mitigation techniques to mitigate the risk of CVE-2021-44228
. Our security team rolled out changes to all production environments to address those vulnerabilities. We have upgraded all components to log4j 2.17.0.
EUE SaaS is also not vulnerable to CVE-2021-4104
. The vulnerability targets JMSAppender, which is not used on any of its servers and therefore not at risk for this vulnerability.
To further strengthen the security and mitigate the risk, we've applied additional patches to components that we've found to be potentially exploited by these vulnerabilities and introduced additional security measures like enabling specific AWS WAF protection rules on our SaaS environment which mitigates the risk for any query parameter and known headers.
Aternity maintains an ISO 27001 certified vulnerability management and access management programs. As part of this program, we have reviewed impact of CVE-2021-44832
within our environment and products and have confirmed that our platform is not vulnerable
because no external entities have control of any Aternity systems, — a key requirement for the weakness to be exposed.
The SaaS platform remains secured against known log4j-related exploits.
Aternity APM SaaS Not Vulnerable
Our Java-based WebUI does not use log4j and is not at risk for these vulnerabilities.
Aternity EUE OnPrem
If your environment is accessible from outside your network, as an interim step, it is recommended to apply firewall rules to block external access to reduce risk arising from external sources.
Please see a dedicated detailed page for EUE OnPrem status - Aternity EUE OnPrem mitigation for Apache's Log4j Exploits CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104 and CVE-2021-44832
CVE-2021-4104 Not Vulnerable
The servers are not
affected by this vulnerability. The vulnerability targets JMSAppender, which is not used by the Aternity Platform on any of its servers and therefore not at risk for this vulnerability.
CVE-2021-44832 Under Investigation
We are currently investigating if there is any impact to our OnPrem environment servers.
Aternity Windows Component Servers
CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Not Vulnerable MGMT, DW, Aggregation, and Dashboards Gateway servers do not use a version of log4j that is vulnerable to these CVEs.
Vertica Not Vulnerable
Vertica has stated that the Management Console and Kafka Scheduler are impacted however Aternity does not
install Management Console or use Kafka Scheduler as part of our implementation and therefore not vulnerable. More information can be found here
Kafka (Vertica & Docker) Not Vulnerable
Apache Kafka has investigated and found that the usage of log4j is not vulnerable. Aternity also has no connector plugin which utilizes Kafka's log4j and therefore not vulnerable. More information can be found here
. Apache Kafka is not intending to release a patch at this time. We will continue to monitor for updates to this.
Oracle Not Vulnerable
Oracle has investigated and determined that Oracle DB is not affected by these vulnerabilities. More information can be found here
. Oracle is not intending to release a patch at this time. We will continue to monitor for updates to this.
Aternity APM OnPrem Not Vulnerable
The two Java-based components on our v11.x and later OnPrem Analysis Server are the WebUI and tag server. We've determined that both do not
use log4j and therefore are not
at risk for this vulnerability. Analysis Server v10.x does not
use any affected versions of log4j and therefore is not
at risk for these vulnerabilities.
Aternity EUE Agents
Windows: Not Vulnerable - It does not utilize log4j so it is not vulnerable to these vulnerabilities.
Aternity APM Agent Not Vulnerable
The APM agent is not
vulnerable to any of the listed CVEs, including CVE-2021-4104. CVE-2021-4104 targets JMSAppender, which is not
used in the agent and therefore not at risk for this vulnerability.
As part of Aternity's commitment to security, while the APM agent does not use any affected versions of log4j that are impacted by the listed vulnerabilities, we have released versions 11.8.8 and 22.214.171.1248 which removes log4j v1 and updates log4j v2 to 2.17.1 on both Windows and Linux agents. To obtain these latest versions, please reach out to Riverbed TAC
to request the packages.
Aternity EUE Tools Not Vulnerable
and Harman Admin Console
at risk or impacted by these vulnerabilities.