Apache Tomcat JNDI features used in DI <Pri:1>

Pix_R · ‎12-13-2021

With the release of a POC for the Apache Log4j2 CV can we confirm Data Insight is or is not affected?

NIST- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Mitre - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228,==

What effect will setting 'MsgNoLookups' or disabling 'trustURLCodebase' have on DI's operations and logging?

ref: https://www.oracle.com/java/technologies/javase/8u121-relnotes.html

Thank you
Pix

davidmoline · ‎12-13-2021

Hi Rod

I understand this is being looked at now (along with other impacted Veritas products) and a technote or article will be produced shortly with any mitigation steps required.

And no I don't know how soon this will be.

Cheers
David

Pix_R · ‎12-13-2021

No one does David.

The POC was released over the weekend and scans are progressing.

We have reached out to the Support team as well thanks.

CraigeH · ‎12-13-2021

We have updated the Knowledge Base regarding this vulnerability

https://www.veritas.com/content/support/en_US/article.100052067.html

Thank you,

Craige

ManojChanchawat · ‎12-18-2021

DataInsight has released the patch for Log4j vulnerability for CVE 2021-44228 and CVE-2021-45046. The detailed KB article for the same is https://www.veritas.com/content/support/en_US/article.100052067.html . The DataInsight team will continue to assess the newly announced CVE 2021-45105 in Log4j for released DI versions.

Pix_R · ‎01-03-2022

Any feedback on the 2.17.1 patch version?

What is the risk of removing the SYMHELP folder from all nodes other than the MS or SSP where it may actually be called?

I guess we need to understand what the DI app uses it for.

Pix

esrasur · ‎01-04-2022

i think its patched now. talktowendys surveyzop

VOX

Apache Tomcat JNDI features used in DI <Pri:1>