cancel
Showing results for 
Search instead for 
Did you mean: 

Apache Tomcat JNDI features used in DI <Pri:1>

Pix_R
Level 5

With the release of a POC for the Apache Log4j2 CV can we confirm Data Insight is or is not affected?

NIST- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Mitre - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228,==

 

What effect will setting 'MsgNoLookups' or disabling 'trustURLCodebase' have on DI's operations and logging?

ref: https://www.oracle.com/java/technologies/javase/8u121-relnotes.html

 


Thank you 
Pix

1 ACCEPTED SOLUTION

Accepted Solutions

CraigeH
Level 3
Employee

We have updated the Knowledge Base regarding this vulnerability

https://www.veritas.com/content/support/en_US/article.100052067.html

Thank you,

Craige

View solution in original post

5 REPLIES 5

davidmoline
Level 6
Employee

Hi Rod

I understand this is being looked at now (along with other impacted Veritas products) and a technote or article will be produced shortly with any mitigation steps required. 

And no I don't know how soon this will be.

Cheers
David

Pix_R
Level 5

No one does David.

The POC was released over the weekend and scans are progressing. 

We have reached out to the Support team as well thanks.

CraigeH
Level 3
Employee

We have updated the Knowledge Base regarding this vulnerability

https://www.veritas.com/content/support/en_US/article.100052067.html

Thank you,

Craige

DataInsight has released the patch for Log4j vulnerability for CVE 2021-44228 and CVE-2021-45046. The detailed KB article for the same is https://www.veritas.com/content/support/en_US/article.100052067.html . The DataInsight team will continue to assess the newly announced CVE 2021-45105 in Log4j for released DI versions.

Pix_R
Level 5

Any feedback on the 2.17.1 patch version?

What is the risk of removing the SYMHELP folder from all nodes other than the MS or SSP where it may actually be called?

I guess we need to understand what the DI app uses it for.

 

Pix