Vulnerability news update - Data Security Plus

Vulnerability news update - Data Security Plus

We would like to update regarding a vulnerability that has been identified in Data Security Plus most likely. The application uses the log4j version log4j-core-2.10.0 in a bundled dependency module which might be susceptible to this vulnerability however it hasn’t been conclusive yet, because of the version changes and not every version of Log4j is getting impacted. So, we are widely working on a general fix. With that said, the root-cause is likely to have been maneuvered by our security team and we have a recommendation to by-pass this vulnerability. Once the general availability of the fix is Confirmed, it'll be released right away very soon. To protect your Data Security Plus instance against this vulnerability, we strongly recommend all our customers to follow the below steps as a precautionary measure:

Please follow the below procedure as precautionary method to by-pass the vulnerability without any negative impact.

Step 1: Stop the DataSecurity Plus service and wait till the service stops.

Step 2: Navigate to <product_installation_dir>\conf.

Step 3: Take backup of wrapper.conf.

Step 4: Edit wrapper.conf with Wordpad or Notepad++ (Do not user Notepad).

Step 5: Search for the string "wrapper.java.additional" and add the below sequence as the last entry:

wrapper.java.additional.20=-Dlog4j2.formatMsgNoLookups=true

Note: If you already have a line with 20, then insert this entry as 21.

Step 6: Now again navigate to <product_installation_dir>\apps\dataengine-xnode\conf.

Step 7:Take backup of wrapper.conf

Step 8: Edit wrapper.conf with Wordpad or Notepad++ (Do not user Notepad).

Step 9: Search for the string "wrapper.java.additional" and add the below sequence as the last entry.

      wrapper.java.additional.20=-Dlog4j2.formatMsgNoLookups=true


Note : If you already have a line with 20, then insert this entry as 21

Regards,
Data Security Plus Team 

                New to ADSelfService Plus?