-
Title
Java Log4J Vulnerability Alert Mitigation For erwin Web Portal -
Description
A critical vulnerability was recently discovered related to erwin Web portal that run Apache Log4j
More information about this vulnerability can be found here
National Vulnerability Ddatabase - CVE-2021-44228 (nist.gov)
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-45105https://nvd.nist.gov/vuln/detail/CVE-2021-44832Further information on this please click: https://support.quest.com/essentials/log4j-vulnerability-update
-
Cause
This is an industry-wide vulnerability affecting the Apache Log4j itself and is not specific to erwin Web Portal.
-
Resolution
Although there is no direct exposure to erwin Web Portal, with respect to the recent security vulnerabilities, we do have precautious mitigation for erwin Web Portal
- CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- CVE-2021-45105 https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- CVE-2021-44832 https://nvd.nist.gov/vuln/detail/CVE-2021-44832
As Meta Integration hereby certifies that all its software are NOT affected by design, because of its usage the Apache Log4j third party software as explained below:
- MIMM (EWP) uses Log4J only for tomcat as delivered in tomcat\\lib
log4j
see https://metaintegration.com/MITI/License/MIMM-ThirdParty-LICENSES.html, - MIMM does NOT any use of the Log4J parameterized messages involved in this
- CVE-2021-22448 + CVE-2021-45046 +CVE-2021-45105+CVE-2021-44832
However, Meta Integration upgraded all above use and bundle of Apache Log4j to the latest version 2.17.1 fixing CVE-2021-44228 + CVE-2021-45046 +CVE-2021-45105+CVE-2021-44832
- For any MIMM (EWP) use, you must:
- stop the MM (EWP) server
- download EMM-2020R1-202220105.zip (or newer)
- copy the new tomcat/lib/log4j-2.17,1; java/Axis2/log4j-2.17.1 (from the download)
- delete the old tomcat/lib/log4j-2.14 + log4j-2.15+log4j.2.16+log4j2.17.0,; java/Axis2/log4j-2.15.+log4j2.16+log4j2.17.0 ( in your current EWP installation directory)
- restart the MM (EWP) server
NOTE: the patch is only for 2020R1, version 2019 and prior are not affected.
Here is the download link: