A high severity vulnerabilities, (CVE- 2021-44228/CVE-2021-45046), impacting multiple versions of Apache Log4j utility, was disclosed publicly in December 2021. We have found no evidence of any successful exploitation in Data Security Plus as of today. However the affected log4j version is used in Data Security Plus in the bundled dependency, so we strongly recommend all our customers to follow the below steps to fix the vulnerability.
Note: This procedure is applicable for both vulnerabilities (CVE- 2021-44228/CVE-2021-45046) irrespective of the application's current build number.
1. Stop the ManageEngine DataSecurity Plus service and wait till it stops.
2. In case the ManageEngine DataSecurity Plus DataEngine service does not stop automatically, stop it manually.
3. Move(cut and paste) the below jar files from '\apps\dataengine-xnode\lib' to any backup location outside the product installation path.
log4j-api-2.10.0.jar
log4j-core-2.10.0.jar
log4j-iostreams-2.10.0.jar
log4j-slf4j-impl-2.10.0.jar
4. Download jar files from the below link:
https://downloads.zohocorp.com/dnd/ADAudit_Plus/ypMFtZHIlQAm30G/log4j-2.16.0.zip
5. Copy the downloaded jar files to '\apps\dataengine-xnode\lib'.
6. Start the ManageEngine DataSecurity Plus service.
Lat updated time: 16 Dec 2021
Time: 9AM EST/2PM GMT/7:30PM IST
Many Thanks,
Data Security Plus Team