Following the vulnerability CVE-2021-44228 found on Log4j, 2 more vulnerabilities have been found on the library Log4j.
Details information are provided here, on Apache Log4j website.
Since Indexima software is using both log4j-core and log4j-api, it is impacted by those 2 vulnerabilities.
Same as CVE-2021-44228 - log4j2: In order to exploit this vulnerability, the Indexima server needs to connect to a malicious server. Thus if outbound connections outside the internal network or unknown addresses are blocked, we consider this to be a minor risk.
Otherwise, we consider this to be a major risk.
- Indexima has released on 21st Dec 2021 a service pack (2021.5.sp4) containing the library Log4j 2.17 that fixes the 2 vulnerabilities
Waiting Replace Log4j2 library
- Download the 3 JAR files (version 2.17.0) from https://download.indexima.com/libs/log4j/
- For the 3 Indexima components: Galactica & Visualdoop2 (& Ranger Client if used), after unzipping the Install file, in the directory lib, replace the 3 following Jar files with the ones provided right above
- 21th Dec 2021: initial Version