Raytion Enterprise Search Connectors
Raytion Enterprise Search Connectors are not affected by CVE-2021-44228 since they are not using log4j2.
All Raytion Enterprise Search Connectors use log4j1 version which is not vulnerable to CVE-2021-44228. We have done additional analysis and a similar vulnerability can only be exploited if all of the following non-default configurations are in place:
- The JMS Appender is configured in the application’s Log4j configuration
- The javax.jms API is included in the application’s CLASSPATH
- The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application’s configuration, or by trusted code setting a property at runtime
There do exist a few CVEs for log4j which all are not affecting our Raytion Enterprise Search Connectors:
- CVE-2019-17571 does not affect Raytion Enterprise Search Connectors since a specific, non-default, specific configuration is required.
- CVE-2020-9488 does not affect Raytion Enterprise Search Connectors since a specific, non-default, specific configuration is required.
It may be worthwhile checking if the connector configuration has been adapted by you.
Please note: Raytion does not deliver any Raytion Enterprise Search Connector product with those non-default settings.
Raytion Search & Retrieval Interface (SRI)
Raytion SRI version 6.7+ and 7.x is affected by CVE-2021-44228SRI as an affected version of log4j2 is used.
Quick fix:
Linux and Windows command line:
Set -Dlog4j2.formatMsgNoLookups=true as JVM_PARAMS in ext/setenv.(sh|bat)
Windows Service:
Add -Dlog4j2.formatMsgNoLookups=true as procrun parameters
Resolution:
- Upgrade to log4j 2.17 manually:
- Place log4j-1.2-api, log4j-api, log4j-core,log4j-slf4j-impl and log4j-jul JARs of version 2.17 in ext/lib.
- Stop SRI
- Remove the old and affected log4j-1.2-api, log4j-api, log4j-core,log4j-slf4j-impl and log4j-jul JARs from folder app/WEB-INF/lib
- Start SRI
- Future SRI releases will include log4j 2.17 at minimum.
The following additional CVE within log4j2 does not affect Raytion SRI:
CVE-2021-45046: Thread Context Map not used by SRI; pattern not used and not exploitable. Other Context Lookups not part of default SRI log patterns.
Raytion Search Experience Manager (SXM)
Please refer to “Raytion Search & Retrieval Interface”.
Raytion Custom Security Manager (CSM)
Raytion CSM version 7.x is not vulnerable to CVE-2021-44228 since the affected log4j2 library is not part of this product.
Raytion CSM prior to version 7.x is also not vulnerable to CVE-2021-44228 as these versions use log4j version 1. We have done additional analysis and a similar vulnerability can only be exploited if all of the following non-default configurations are in place:
- The JMS Appender is configured in the application’s Log4j configuration
- The javax.jms API is included in the application’s CLASSPATH
- The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application’s configuration, or by trusted code setting a property at runtime
There do exist a few CVEs for log4j which all are not affecting our Raytion CSM
- CVE-2019-17571 does not affect Raytion Enterprise Search Connectors since a specific, non-default, specific configuration is required.
- CVE-2020-9488 does not affect Raytion Enterprise Search Connectors since a specific, non-default, specific configuration is required.
It may be worthwhile checking if the connector configuration has been adapted by you.
Raytion does not deliver any Raytion CSM product with those non-default settings.
Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 exploitation
The following references may be of further help for you and your IT teams making sure you are protected from attacks against VE-2021-44228.
Update 2021-12-14, 9pm CET via announce@apache.org: log4j2.16.0 fixes another, moderate CVE present in previous versions. Refer to https://logging.apache.org/log4j/2.x/security.html