CVE-2021-44832 (Vulnerability to RCE via JDBC Appender)
Context
Following the vulnerabilities CVE-2021-44228, CVE-2021-45105 & CVE-2021-45046 found on Log4j, a new vulnerability has been recently found on the library Log4j.
Details information are provided here, on Apache Log4j website.
Impact
Indexima software is not using the JDBC Appender, so we consider the risk as low.
Mitigation
- Indexima has released on 7th Jan 2022 a service pack (2021.5.sp5) containing the library Log4j 2.17.1 that fixes this vulnerability.
Workaround (Replace Log4j2 library)
- Download the 3 JAR files (version 2.17.1) from https://download.indexima.com/libs/log4j/
- For the 3 Indexima components: Galactica & Visualdoop2 (& Ranger Client if used), after unzipping the Install file, in the directory lib, replace the 3 following Jar files with the ones provided right above
- log4j-api-2.XX.0.jar
- log4j-core-2.XX.0.jar
- log4j-slf4j-impl-2.XX.0.jar
This change is compatible with all currently supported Indexima versions
Versions
- 7th Jan 2022: initial Version