Support Knowledge Base
Login Registration
Contents

Log4j2 Vulnerability (CVE-2021-44228) Fix

The following page contains information regarding the recently discovered Log4j2 vulnerabilities (CVE-2021-44228, CVE-2021-45105, CVE-2021-4422, CVE-2021-45046). Below you may find details on which Ataccama modules and versions are affected and how to apply a patch to your specific configuration. 

Detailed Description of the Vulnerability and Exploits

https://www.lunasec.io/docs/blog/log4j-zero-day/

Log4j Mitigation Guide

https://lists.apache.org/thread/gzj2jsglvsffzs8zormxyly0vofdxp6j

Version 13.x


This family of versions is vulnerable to CVE-2021-44228 due to its 3rd party dependencies.

Ataccama components are not vulnerable to CVE-2021-44228. Gen2 does not use Log4J as the underlying logging library. SLF4J library is used as the logging abstraction layer and Logback is used in the underlying logging library. The file log4j-core<version>.jar containing the vulnerable JndiLookup class is not present on the classpath.

ComponentVulnerable

MMM Backend

No

MMM Frontend

No

DPM

No

DPE

No

Runtime

No

AI Core

No

Configuration Service

No

Audit Module

No

MDM Web Application

No

MDM Server

No

RDM Web Application

No

DQ Issue Tracker Web Application

No

ONE Desktop

No

Ataccama 3rd-Party Dependencies

These components are used as standalone dependencies.

ComponentVulnerableDescriptionLog4j version

Keycloak

No

Keycloak is used as an identity provider for authentication and authorization flows.


MinIO

No

MinIO is used as object storage.


Elasticsearch

VULNERABLE

This is an optional dependency used for search in Gen2 Catalog. This dependency needs to be patched because it is vulnerable.

log4j-core-2.11.1.jar

Manta

VULNERABLE

This is an optional dependency used for data lineage.  This dependency needs to be patched because it is vulnerable.

log4j-core-2.13.1.jar

How to Patch Elasticsearch

Elasticsearch version 7.16.2 or higher is not vulnerable because it contains Log4j 2.17.0: for other versions of Elasticsearch, install the necessary patch using the following procedure:

  1. Stop Elasticsearch
  2. Following the methodology described here, add the JVM property -Dlog4j2.formatMsgNoLookups=true.
  3. Locate the vulnerable library log4j-core-*.jar .

    1. You can use the following command in the installation directory: 

      find . -type f -name "log4j-core*.jar"

      (where * is the relevant version).

    2. If this file exists, the command prints a path to the file.

    3. Delete the vulnerable class. You can use the following command: 

      zip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  4. Start Elasticsearch

How to Patch Manta

  1. Navigate to https://portal.getmanta.com/manta-software-download/.
  2. Select your version of Manta in the dropdown.
  3. Download the Latest Patches zip.
  4. Unpack the downloaded zip.
  5. Find the directory DEV-20185 and open the readme.txt.
  6. Continue applying the patch by following the instructions provided in the readme.txt.

Version 12.x

This family of versions is vulnerable to CVE-2021-44228.

Ataccama components

ComponentVulnerableLog4j version

DQD

No


DQIT

No


MDM

No


RDM

No


DQC

No


MDA

No


Runtime

No


MDC

No


IDE

No


ONE Web App (DQ and DG)

No

log4j-core-2.7.jar

Ataccama 3rd-Party Dependencies

ComponentVulnerableDescriptionLog4j version

Keycloak

No

Keycloak is used as an identity provider for authentication and authorization flows.


RabbitMQ

No

Messaging provider.


Elasticsearch

VULNERABLE

This dependency needs to be patched because it is vulnerable.

log4j-core-2.11.1.jar

How to Secure ONE Web App (DQ and DG)

In general, ONE Web Application (DQ and DG) contains vulnerable libraries, but these libraries are not effectively used in runtime.
We recommend deleting the following libraries from the installation directory (GEN1_INSTALLATION_DIR) for safety reasons:

  • ./one/webapps/ROOT/WEB-INF/lib/log4j-api-2.7.jar
  • ./one/webapps/ROOT/WEB-INF/lib/log4j-core-2.7.jar

Following deletion, it is necessary to restart ONE Web Application.

How to Patch Elasticsearch

Elasticsearch version 7.16.2 or higher is not vulnerable because it contains Log4j 2.17.0: for other versions of Elasticsearch, install the necessary patch using the following procedure:

  1. Stop Elasticsearch
  2. Following the methodology described here, add the JVM property -Dlog4j2.formatMsgNoLookups=true.
  3. Locate the vulnerable library log4j-core-*.jar .

    1. You can use the following command in the installation directory: 

      find . -type f -name "log4j-core*.jar"

      (where * is the relevant version).

    2. If this file exists, the command prints a path to the file.

    3. Delete the vulnerable class. You can use the following command: 

      zip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  4. Start Elasticsearch

Version 11.x

This family of versions is not vulnerable to CVE-2021-44228.

Version 10.x

This family of versions is not vulnerable to CVE-2021-44228.

Version 9.x

This family of versions is not vulnerable to CVE-2021-44228.

Ataccama ONE Profiler

ONE Profiler, available on https://app.ataccama.com, is not vulnerable to CVE-2021-44228.

DQ Analyzer

DQ Analyzer is not vulnerable to CVE-2021-44228.

Log4j 1.x Vulnerabilities Mitigation

Ataccama products contain Log4j 1.x library with vulnerable classes JMSAppender and SocketServer  but the library is neither configured nor used in a way allowing it to be exploited by CVE-2019-17571 or CVE-2021-4104.

We recommend stripping the affected classes from log4j-1.*.jar.

  1. Located files with the Log4j-1.x library. You can use the command:

     find . -type f -name "log4j-1.*.jar"

  2. For all returned files, please run the following:

    zip -d  log4j-1.*.jar org/apache/log4j/net/SocketServer.class
    zip -d  log4j-1.*.jar org/apache/log4j/net/JMSAppender.class

  3. Delete log4j-1.2.17.jar from profiling service (applicable for Gen1). You can use the command: 

    zip -d one/profiling-service/profiling-service.jar BOOT-INF/lib/log4j-1.2.17.jar

FAQ

Q: Is Keycloak vulnerable to CVE-2021-44228?

A: No, Keycloak is not affected by CVE-2021-44228, or the related CVE-2021-4104 in Log4j 1. Please see https://github.com/keycloak/keycloak/discussions/9078 for more information.

Q: Should we delete log4j-over-slf4j-*.jar or log4j-to-slf4j-*.jar files?

A: No, these libraries are not vulnerable. They are used as a drop-in replacement for Log4j code and MUST NOT be deleted. 

Q: Should we upgrade Log4j version 1 log4j-1.x on Log4j 2.17.0?

A: As log4j-1.x does NOT offer a JNDI look up mechanism at the message level, it does NOT suffer from CVE-2021-44228. However dues to other vulnerabilities in Log4j-1.x please follow Log4j-1.x vulnerabilities mitigation (see above).

Q: Should we upgrade on Elastic search 7.16.2 or higher?

A: No, It hasn’t been tested yet with Ataccama version 13.x or 12.x.

Q: Should we upgrade Elastic search to Log4j 2.17.0?

A: No, Dropping the 2.17.0 JAR into Elasticsearch 7.0.0 – 7.16.1 will run into errors and Elastic search won’t start.