Apache Log4j2 Vulnerability Update

The Manta Team is aware of the identified vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 for Apache Log4j2 features used in configuration, log messages, and parameters. We are actively engaged in evaluating the impacts to Manta and our customers. Here’s what you need to know:

Impact to Manta

CVE-2021-44228: Apache Log4j2 is creating a remote code execution vulnerability, which is affecting all Manta components. The vulnerability is rated at a critical severity level, 10 out of 10. This will impact all customers who are currently utilizing any version of Manta prior to R35.

CVE-2021-45046: Apache Log4j2 was originally found vulnerable for a denial of service and CVE score of this vulnerability was 3.7 out of 10. However, it was found later that it enables remote code execution as well. The CVE score has been changed to 9.0 out of 10, classifying it as critical severity.

CVE-2021-45105: Apache Log4j2 is creating a denial of service vulnerability. The CVE score is 5.9 out of 10 (changed from 7.5 reported earlier), classifying it as moderate severity.

CVE-2021-44832: Apache Log4j2 is creating a remote code execution vulnerability, when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. The CVE score is 6.6 out of 10, classifying it as moderate severity. Manta components are vulnerable only when an administrator changes Log4j and LDAP server configuration in a specific way which is possible from version R33.

We recommend all customers take the below steps for implementing a remediation to the vulnerability issue immediately in all Manta instances.

Recommended Next Steps

On Monday, December 13, 2021, we released a hotfix DEV-20185 that addresses vulnerability CVE-2021-44228 for the latest minor hotfix of all supported versions of Manta. 

On Thursday, December 16, 2021, we released a hotfix DEV-20259 that also addresses vulnerability CVE-2021-45046 for versions R34.1, R34, and R33.2. 

On Monday, December 20, 2021, we released a hotfix DEV-20347 that addresses all three vulnerabilities for the latest minor hotfix of all supported versions of Manta.

On Thursday, December 23, 2021, we released a new major version of Manta R35, which is not vulnerable to the first three vulnerabilities.

On Monday, January 03, 2022, we released a hotfix DEV-20485 that addresses all four vulnerabilities for versions R35, R34.1, R34, and R33.2.

Steps to apply:

  1. Update your version of Manta to the latest minor version. If you are on e.g. R33.0, upgrade to R33.2 (the latest minor version available for R33).
  2. Download the latest patch set from Manta Portal under Manta Software Download > [your Manta version] > Latest patches 
  3. Apply hotfix DEV-20185+DEV-20259+DEV-20347+DEV-20485 or DEV-20485 (for version R35) based on the instructions included in the hotfix itself.

Do not hesitate to contact us if we can be of any assistance when applying the hotfix.

The Manta team will continue to provide status and impact updates as needed; please check this page for the latest information.