This post is a follow up for two high severity vulnerabilities (CVE- 2021-44228/CVE-2021-45046) reported in Apache and the recommended countermeasure to mitigate them (Replacing the old jar files with log4j files of v2.16). It is observed that there is another susceptible vulnerability (Code name: CVE-2021-45105) discovered for which there has been NO substantial evidence of any successful and possible exploitation in Data Security Plus. However, the affected log4j version is used in the application in the bundled dependency, so we strongly recommend all our customers to follow the below steps to fix the vulnerability.
Note: This procedure is also applicable for the previously recorded vulnerabilities (CVE- 2021-44228/CVE-2021-45046/) along with CVE-2021-45105 irrespective of the application's current build number.
1. Stop the ManageEngine DataSecurity Plus service and wait till it stops.
2. In case the ManageEngine DataSecurity Plus DataEngine service does not stop automatically, stop it manually.
3. Move(cut and paste) the below jar files from '\apps\dataengine-xnode\lib' to any backup location outside the product installation path.
log4j-api-2.10.0.jar
log4j-core-2.10.0.jar
log4j-iostreams-2.10.0.jar
log4j-slf4j-impl-2.10.0.jar
(or)
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-iostreams-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar
4. Download jar files from the below link:
https://downloads.zohocorp.com/DataSecurity_Plus/OHCNtqR9x9FrK0f/log4j-2.17.0.zip
5. Copy the downloaded jar files to '\apps\dataengine-xnode\lib'.
6. Start the ManageEngine DataSecurity Plus service.
Last updated date: 20 Dec 2021
Time: 9AM IST
Many Thanks,
Data Security Plus Team