December 13, 2021
RE: CVE-2021-44228 Java logging library Apache Log4j2 remote code execution (RCE) zero-day Vulnerability and Implications for INSIGHT DLP Appliances
Dear INSIGHT Appliance Customer:
As you may be aware, on December 9, 2021, researchers published proof-of-concept (PoC) exploit code for a critical vulnerability in Apache Log4j 2 (CVE-2021-44228 affects log4j-core-2.x.jar), a Java logging library used by a number of applications and services including but not limited to:
The INSIGHT Development and Security teams have investigated this vulnerability and its potential impact on INSIGHT Appliances, Symantec DLP, and Oracle Database. Please note that this vulnerability/exploit does not affect or impact the INSIGHT Appliances, Symantec DLP, and the Oracle Database.
INSIGHT Appliance OS does not utilize Apache or log4j. Symantec DLP software does utilize Apache Tomcat, but it does not include or consume log4j. Oracle Database software does not utilize Apache or log4j but does ship with log4j as part of its library, but it does not utilize or run log4j. As of now Symantec and Oracle do not recommend deleting the related jar files.
Due to the secure environment and restrictions implemented on all INSIGHT Appliances the identified exploit does not exist for INSIGHT Appliances.
NOTE FROM BROADCOM/SYMANTEC:
The following products are not vulnerable:
Data Loss Prevention (DLP)
Symantec has investigated this vulnerability and its potential impact to Data Loss Prevention. Based on these investigations, Symantec has established that DLP is not affected by this vulnerability.
CVE-2021-44228 affects log4j-core-2.x.jar, which is not included or consumed by any version of DLP.
* log4jv1 is not impacted by CVE-2021-44228 or CVE-2021-45046.
* log4j version 2 (log4jv2) is impacted by CVE-2021-44228 or CVE-2021-45046.
* CVE-2021-41004 is only exploitable if JMSAppender is enabled and that is allowed to perform JNDI requests.
The Oracle Database’s use of log4jv1 does not use a JMSAppender, and the Oracle Database is evaluated as not vulnerable to CVE-2021-4104.
*Log4jv2 was used by Parallel Graph Analytics (PGX) and appeared in the $ORACLE_HOME/md/property graph directory. PGX is not deployed out of the box and must be manually deployed in a java container.
*Log4jv2 was removed with the October 2020 release update.
*Log4jv2 was also used in Oracle Spatial and is present in $ORACLE_HOME/md/jlib it was a dependency of Oracle Spatial and Graph Network Data Model Server. NDM server is not configured by default and must be deployed manually.
*Patch 33674035 removes the unused log4jv2 files; the October 2021 CPU patch also removes these files.
Additional articles for your reference:
If you have any questions or concerns, please contact the INSIGHT Support Team.
INSIGHT Support Team