Skip to main content
Skip table of contents

CVE-2021-45105 & CVE-2021-45046 Log4j Vulnerabilities

Context

Following the vulnerability CVE-2021-44228 found on Log4j, 2 more vulnerabilities have been found on the library Log4j.

Details information are provided here, on Apache Log4j website.

Since Indexima software is using both log4j-core and log4j-api, it is impacted by those 2 vulnerabilities.

Impact

Same as CVE-2021-44228 - log4j2: In order to exploit this vulnerability, the Indexima server needs to connect to a malicious server. Thus if outbound connections outside the internal network or unknown addresses are blocked, we consider this to be a minor risk.

Otherwise, we consider this to be a major risk.

Mitigation

  • Indexima has released on 21st Dec 2021 a service pack (2021.5.sp4) containing the library Log4j 2.17 that fixes the 2 vulnerabilities

Workaround

Waiting Replace Log4j2 library

  • Download the 3 JAR files (version 2.17.0) from https://download.indexima.com/libs/log4j/
  • For the 3 Indexima components: Galactica & Visualdoop2 (& Ranger Client if used), after unzipping the Install file, in the directory lib, replace the 3 following Jar files with the ones provided right above
    • log4j-api-2.XX.0.jar
    • log4j-core-2.XX.0.jar
    • log4j-slf4j-impl-2.XX.0.jar
This change is compatible with all currently supported Indexima versions

Versions

  • 21th Dec 2021: initial Version 
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.