Skip to main content
Skip table of contents

CVE-2021-44832 (Vulnerability to RCE via JDBC Appender)

Context

Following the vulnerabilities CVE-2021-44228, CVE-2021-45105 & CVE-2021-45046 found on Log4j, a new vulnerability has been recently found on the library Log4j.

Details information are provided here, on Apache Log4j website.

Impact

Indexima software is not using the JDBC Appender, so we consider the risk as low.

Mitigation

  • Indexima has released on 7th Jan 2022 a service pack (2021.5.sp5) containing the library Log4j 2.17.1 that fixes this vulnerability.

Workaround (Replace Log4j2 library)

  • Download the 3 JAR files (version 2.17.1) from https://download.indexima.com/libs/log4j/
  • For the 3 Indexima components: Galactica & Visualdoop2 (& Ranger Client if used), after unzipping the Install file, in the directory lib, replace the 3 following Jar files with the ones provided right above
    • log4j-api-2.XX.0.jar
    • log4j-core-2.XX.0.jar
    • log4j-slf4j-impl-2.XX.0.jar
This change is compatible with all currently supported Indexima versions

Versions

  • 7th Jan 2022: initial Version 
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.