Release : 10.7.0

Component : Introscope

APM product (server-side, 10.x and nextgen) is using the patched log4j_1.2.17-cloudera1-nonet.jar, not the log4j version 2.x, so it is not affected.

For AXA:

AxA team will upgrade log4j 2.x into the latest version 2.17.1 in AXA.

The Apache Foundation Log4j group published a new vulnerability report for log4j, CVE-2021-44832. This is a medium risk vulnerability (6.6 CVSS) according to Apache. At this time, Engineering should handle CVE-2021-44832 in line with regular 3rd party software vulnerability handling procedures. I am sending this email in case there is any unwarranted escalation/attention on this vulnerability due to the recent critical risk log4j CVE database entries. I expect more vulnerability reports in log4j over time, as usual.

https://logging.apache.org/log4j/2.x/security.html

Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.

CVE-2021-44832 Remote Code Execution
Severity Moderate
Base CVSS Score 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Versions Affected All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4

CVE-2021-44832: 

Description: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

How to fix it

Solution - Fix Available

Fixed in versions:

• 2.3.2-rc1 by this commit.
• 2.12.4-rc1 by this commit.
• 2.17.1-rc1 by this commit.

The latest stable releases can be found here.

No Workaround