Search to learn about InterSystems products and solutions, career opportunities, and more. Results include content from our developer community, product documentation and education websites in addition to InterSystems.com.

JNDI Vulnerability in Apache Log4j2 Library Affecting InterSystems Products/Services

LAST UPDATED: 22 DECEMBER 2021 17:00 UTC/12:00 EST

Summary

InterSystems investigated the impact of a security vulnerability related to Apache Log4j2. In addition, please see the note at the end of this alert regarding Log4j 1.2.17. Log4j2 is a commonly used open-source, third-party Java logging library used in software applications and services.

The vulnerability — impacting at least Apache Log4j2 (versions 2.0 to 2.14.1) — was announced by Apache and is reported in the United States National Vulnerability Database (NVD) as CVE-2021-44228 with the highest severity rating on the Common Vulnerability Scoring System (CVSS), 10.0. The initial remediation from Apache, v2.15.0, was incomplete as noted in CVE-2021-45046.

Apache Log4j2 features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. If exploited, this vulnerability allows adversaries to potentially take full control of the impacted system.

InterSystems investigated the impact of these vulnerabilities on its products and services, including its Managed Services. Apache has provided general remediations for the vulnerabilities which some customers may find helpful.

A list of products affected and not affected by these vulnerabilities is provided below. Any product not listed in the Products Under Investigation or Vulnerable Products section of this alert is to be considered not vulnerable.

No further updates are expected on this alert.

Vulnerable Products
The following lists InterSystems products that are affected by the vulnerabilities that is described in this alert. Customers should contact the WRC for further details on affected products.

Registered InterSystems customers can get more information about how each vulnerable product is affected and steps to mitigate the vulnerabilities from the WRC remediation document (WRC login required).

Data Platforms Add-ons 
  • Adaptive Analytics
  • InterSystems Reports Server
  • InterSystems Reports Designer

TrakCare
  • TrakCare Core

Products Containing Vulnerable log4j2 but are Not Exploitable


The following products contain a vulnerable version of log4j2 but the library is not used to process data from untrusted sources.

Data Platforms Add-ons
  • InterSystems Cloud Manager

HealthShare 
  • HealthShare Clinical Viewer (2019.2 to 2021.2)
Products Confirmed Not Vulnerable
InterSystems has confirmed that the following products do not contain log4j and are not affected by these vulnerabilities:

Data Platforms
  • InterSystems IRIS
  • Caché
  • InterSystems IRIS for Health
  • Ensemble

Data Platforms Add-ons
  • Atelier Integration
  • CSP Gateway for CE
  • IRIS Studio
  • InterSystems API Manager
  • InterSystems Kubernetes Operator (IKO)
  • ISC Agent
  • Legacy .Net bindings
  • Legacy node JS binding
  • ODBC Driver
  • System Alerting and Monitoring (SAM)
  • VS Code Integration
  • Web Gateway for IRIS
  • Zen Mojo

HealthShare
  • HealthShare Clinical Viewer (2019.1 and earlier)
  • Unified Care Record
  • Care Community
  • Personal Community
  • Provider Directory
  • Health Insight
  • Patient Index
  • Health Connect

TrakCare
  • TrakCare Editions
  • TrakCare Lab

Cloud Delivery Offerings
  • FHIR Accelerator (FHIRaaS)
  • HealthShare Message Transformation Service
  • Health Integration as a Service
Log4j 1.2 Issues
As part of the investigation into Log4j2 impacts to InterSystems products and the release of  CVE-2021-4104 with the rescoring of  CVE-2019-17571 on 16 December 2021, InterSystems is providing notice that the following product contains Log4j 1.2.17. InterSystems is continuing to evaluate the fix and will update this alert as additional information becomes available.

Data Platforms Add-ons
  • IntegratedML
    (As shipped with InterSystems IRIS, vulnerable only when configured to use the H2O provider)