-
Title
JAVA Log4J Vulnerability Alert Mitigation For erwin Data Modeler -
Description
CVE-2021-44228 vulnerability with erwin Data Modeler Installs
. erwin Data Modeler Metaintegration Bridge.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-45105https://nvd.nist.gov/vuln/detail/CVE-2021-44832Further information on this please click: https://support.quest.com/essentials/log4j-vulnerability-update
-
Cause
This is an industry-wide vulnerability affecting the Apache Log4j itself and is not specific to erwin Data Modeler -
Resolution
Although there is no direct exposure to erwin Data Modeler (DM) with respect to the recent security vulnerabilities, we do have precautious mitigation for the below erwin Data Modeler releases.
- erwin Data Modeler 2020 R1 SP1 b12392
- erwin Data Modeler 2020 R2 b14677
- erwin Data Modeler 2020 R2 SP2 b16138
- erwin Data Modeler 2021 R1 b23459
Mitigation for JAVA Log4J Vulnerability Alerts:- CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- CVE-2021-45105 https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- CVE-2021-44832 https://nvd.nist.gov/vuln/detail/CVE-2021-44832
As our 3rd party tool "Meta Integration" hereby certifies that all its software are NOT affected by design because of its usage the Apache Log4j third party software as explained below:
-MIMB uses Log4J only as bundled within Axis2 as delivered in java\axis2\log4j*
see Meta Integration® Model Bridge (MIMB) - LICENSES
However, any use of the Log4J within Axis2 is as always been disabled. Nonetheless Meta Integration upgraded all above use and bundle of Apache Log4j to the latest version 2.17.1 fixing CVE-2021-44228 + CVE-2021-45046 + CVE-2021-45105 +CVE-2021-44832MITIGATION STEPS:
NB: To Run MIMB-OEM-DeleteOld.bat file using command prompt, requires Administrator privileges
Please download "MIMB-OEM-CumulativePatch-1010-20220105.zip" from below location to a local machine.
- Close all instance of erwin Data Modeler on the machine.
- Unzip MIMB-OEM-CumulativePatch-1010-20211220.zip, copy all files and folders and replace into install directory of erwin Data Modeler which is: C:\Program Files\erwin\Data Modeler r9\MetaIntegration
- Once all files were copied, launch command prompt as Run as administrator
- Once command prompt is launched, type cd C:\Program Files\erwin\Data Modeler r9\MetaIntegration press enter
- Type C:\Program Files\erwin\Data Modeler r9\MetaIntegration> MIMB-OEM-DeleteOld.bat press enter