JAVA Log4J Vulnerability Alert Mitigation For Evolve Global Search Enabled Servers (4327043)

Security: Evolve Web Platform 2018.0.1-2020.2.0

Following a widely reported security vulnerability in a Java component (Log4J) CVE-2021-44228, we are issuing these hotfix steps to ensure that your Evolve Web Platform remains secure.

Firstly, to briefly explain the issue in relation to Evolve Web Platform. Evolve Web Platform is primarily a Windows.NET based platform, and uses no Java components directly. However it does use a third party component called ‘ElasticSearch’ running on a separate web stack, in order to index its Global Search data. ‘ElasticSearch’ runs on Java, and does utilize the logging component Log4J, which is affected by this security issue.

Further information on this please click: https://support.quest.com/essentials/log4j-vulnerability-update

The version of ‘ElasticSearch’ in use in Evolve is version 6.4. Having reviewed the risk information from Elastic, it is understood that any RCEs (remote code execution) risks can be mitigated with this patch, and that no data can be obtained remotely from the search index database.

Further reducing the attack surface, it should be known that under a normal Evolve installation, ‘ElasticSearch’ is not exposed to the internet, but is instead controlled locally by our Search Service. This additional level of redirection, will make it significantly more difficult to take advantage of this exploit, as the http request (request headers etc.) are not available to the attacker.

So although this is a serious risk for the specific component, it is not a serious risk when the component is used inside Evolve Web Platform.

In order to reduce all risks for this vulnerability please see attached document for workaround instructions for all version below Evolve 2020.2.0.

For all clients on our latest release 2020.2.1 onwards, we have applied the latest version addressing this vulnerability in ElasticSearch already, therefore there is no need for further mitigation.