The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.
A vulnerability has been publicly disclosed in Apache Log4j 1.2. The vulnerability has been assigned the identifier CVE-2021-4104 with a CVSS score of “High”.
All versions of Data Platform include Log4j 1.2 components, and thus are potentially exposed to this vulnerability. This article describes the potential impact of the vulnerability on Data Platform and options for mitigation.
The National Vulnerability Database describes the CVE-2021-4104 vulnerability at https://nvd.nist.gov/vuln/detail/CVE-2021-4104 as follows (current as of Dec 30, 2021):
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
The default configuration of Data Platform does not meet the preconditions described for the vulnerability to be exploited.
The following steps should be taken on all computers on which Data Platform components are installed:
Audit your logging configuration to ensure it has no JMSAppender configured.
Logging configuration is stored in files named log4j.xml. Such configuration would be highly unusual for a Data Platform installation, and would only appear if a non-default configuration has been applied.
Perform the following steps to upgrade to the latest version of Data Platform. This is the typical upgrade process used for regular monthly releases, as documented in the Data Platform Release Notes.
Also see the following pages:
2021-12-30 12:53 PM CST: Initial article.
2022-01-03 7:50 PM CST: Add link to Data Platform 5.5.48 release notification.
2022-02-01 11:20 PM CST: Update to clarify that not all instances of the Log4j component have been updated in the Data Platform 5.5.48 release.