Forum Discussion

Pix_R's avatar
Pix_R
Level 5
3 years ago

Apache Tomcat JNDI features used in DI <Pri:1>

With the release of a POC for the Apache Log4j2 CV can we confirm Data Insight is or is not affected?

NIST- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Mitre - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228,==

 

What effect will setting 'MsgNoLookups' or disabling 'trustURLCodebase' have on DI's operations and logging?

ref: https://www.oracle.com/java/technologies/javase/8u121-relnotes.html

 


Thank you 
Pix

DI
risk
Security

5 Replies

Sort By
  • davidmoline's avatar
    davidmoline
    Level 6
    3 years ago

    Hi Rod

    I understand this is being looked at now (along with other impacted Veritas products) and a technote or article will be produced shortly with any mitigation steps required. 

    And no I don't know how soon this will be.

    Cheers
    David

  • Pix_R's avatar
    Pix_R
    Level 5
    3 years ago

    No one does David.

    The POC was released over the weekend and scans are progressing. 

    We have reached out to the Support team as well thanks.

  • Pix_R's avatar
    Pix_R
    Level 5
    3 years ago

    Any feedback on the 2.17.1 patch version?

    What is the risk of removing the SYMHELP folder from all nodes other than the MS or SSP where it may actually be called?

    I guess we need to understand what the DI app uses it for.

     

    Pix