JAVA Log4J Vulnerability Alert Mitigation For DIS-BUP (4350672)

On December 9, 2021, erwin by Quest was made aware of a critical security vulnerability impacting the Apache Log4j library associated with CVE-2021-44228 (also known as Log4Shell or LogJam).

erwin BUP IMPACTED VERSIONS

• erwin BUP – 10.2.x versions and 11.0.x version.

Further information on this please click: https://support.quest.com/essentials/log4j-vulnerability-update

This is an industry-wide vulnerability affecting the Apache Log4j itself and is not specific to erwin BUP.

Log4j is an open-open source, Java-based logging utility that is widely deployed and used across a variety of enterprise applications, including many cloud services that utilize Apache web servers. The flaw is deemed to be the worst computer vulnerability discovered in years and affects a great majority of vendors.

The vulnerability is a Java Naming and Directory Interface™ (JNDI) injection vulnerability in version Log4j 2. It can be triggered when a system using an affected version of Log4j 2 includes untrusted data in the logged message - which if this data includes a crafted malicious payload, a JNDI lookup is made to a malicious server.  Depending on the information sent back (response) a malicious Java object may be loaded, which could eventually lead to a remote code execution.  In addition, attackers who can control log messages or their parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The challenge with this vulnerability is the widespread use of this particular logging utility in many enterprise and cloud applications.  JNDI lookups support multiple protocols, but based on analysis so far, exploitability depends on the Java versions and configurations.

Your current erwin DIS- BUP environments can be protected immediately with short term  simple JVM property change in the short term. 

Please see attached PDF document for our short term mitigation and our long term plan.