Summary

Apache has published multiple vulnerabilities and their mitigation steps as part of their announcement. As part of this article, we are tracking the following vulnerabilities and their impact to Enterprise Vault. 

While this issue has been resolved in Log4j 2.17.0, compatibility and installation of this version is still under investigation. 

CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.  

• Severity: Critical  

• Base CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 

• Affected Log4j Versions: All versions from 2.0-beta9 to 2.14.1 

CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations 

• Security: Critical 

• Base CVSS Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) 

• Affected Log4j Versions: All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation 

• Security: High 

• Base CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

• Affected Log4j Versions: All versions from 2.0-beta9 to 2.16.0 

Impact

Prior to Enterprise Vault 14.2: 

• Enterprise Vault versions prior to 14.2 do not use Log4j and hence are not affected by above mentioned vulnerabilities. 

• Compliance Accelerator 14.1.1 / 14.1.2 has an Enhanced Auditing feature which does use Elasticsearch 7.12.0, but this version is not exploitable to vulnerabilities mentioned above (Refer to the official statement from Elastic here). 

Enterprise Vault 14.2: 

• Apache Log4j 2.x was introduced in Enterprise Vault 14.2 and with the introduction of the Elasticsearch and Microsoft Teams collector plugin. 

• Enterprise Vault 14.2 uses ElasticSearch 7.14.1 and Enhanced Auditing feature of Compliance Accelerator 14.2 uses Elasticsearch 7.15.0. Both these versions of elastic are not exploitable to vulnerabilities mentioned above (Refer to the official statement from Elastic here). 

• Enterprise Vault 14.2 introduced a collector plugin to collect data from Microsoft Teams and this module is not affected by the above-mentioned vulnerabilities as the Apache Log4J 2.x component is used internally, and the connector plugin is not exposed via a web endpoint and hence is not exploitable. 

Affected Versions

Enterprise Vault versions: None

Compliance Accelerator / Advanced Supervision versions: None

Discovery Accelerator versions: None

Veritas Information Classifier versions: None

Mitigation

There are no mitigation steps required/recommended for any version of Enterprise Vault.

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support) 

Note: This document is being reviewed frequently, and this note will be removed once all affected versions have been identified and mitigations are in place. 

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.