LAST UPDATE: 1/25/2022 2:10 PM EST
Are any of the components of CAPM affected by the log4j vulnerability that was announced recently - CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
All Supported Versions
This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1
Only the following components are affected:
The NetOps Portal and Data Aggregator Proxy are not affected.
Versions Affected: Customers running 21.2.2-21.2.6 must run the following on the DA (both DA in FT environment) and all DCs. Version 21.2.7 ships with 2.17.1 for DA / DC karaf. No mitigation steps are are needed for 21.2.7+
Notes:
DA:
DC:
Versions Affected: All Data Repository Nodes running Vertica 9.1.1 and 10.1.1 (Performance Management 3.7.x - 21.2.x):
Notes:
Vertica/Kafka:
Notes:
Become <dbadmin> user on any Vertica node.
$ su - dradmin
To uninstall the Kafka Vertica package, run:
/opt/vertica/bin/admintools -t uninstall_package -d <dbname> -p<dbpassword> -P kafka
Example:
$ /opt/vertica/bin/admintools -t uninstall_package -d drdata -p dbpass -P kafka
If you re-run the same syntax, you will get a message that the Kafka package is not currently installed:
Note that the kafka package is still displayed in the following syntax:
$ /opt/vertica/bin/admintools -t list_packages
Log into each Vertica node as root, and run this command:
rm -rf /opt/vertica/packages/kafka
After removing the kafka files, it is no longer displayed in the following syntax:
No need to restart Vertica.
Notes: