Informatica Network : 2021 : December Skip navigation
2021

Informatica is dedicated to proactively monitoring and responding to threats that might impact our products and services.

 

We have actively monitored and mitigated the evolving situation involving security vulnerabilities in Apache Zero-Day Log4j2, specifically CVE-2021-44228, reported publicly on December 9 and updated on December 14, 2021, CVE-2021-45046 reported publicly on December 14, 2021 and updated Friday, December 17, 2021, and CVE-2021-45105 reported publicly on December 18, 2021.

 

Apache announced a new medium-severity vulnerability for Log4j on December 28, 2021 (CVE-2021-44832). Some security scanning software will detect the presence of Log4j files as false-positive vulnerabilities within select Informatica products. After careful review, we confirm that our products are not impacted by this vulnerability.

 

Key resources to follow for the latest updates and actions that you can take:

  • Informatica Cloud and Cloud-Hosted Software customers can refer to the Knowledge Article for the latest status updates at this link.
  • Informatica On-Premises Software impact analysis and remediation guidance continue to be updated frequently, starting with the most recent product versions. Please refer to the Knowledge Article for the latest product-specific updates at this link.

 

Please also note that Apache Log4j v1.x is bundled in some Informatica products. Informatica confirms that our products do not use JMSAppender functionality and are not vulnerable to recently-published CVEs, such as CVE-2021-4104. You can remove the JMSAppender class from all bundled 1.x jars to reduce false positives from their security scan reports.

 

We understand that these issues have caused you inconvenience, and our global team has worked round-the-clock to mitigate all of these vulnerabilities at the earliest. We appreciate your patience.

 

Informatica has analyzed each of these vulnerabilities and has taken the steps outlined below to mitigate these vulnerabilities and test their effectiveness across our products. Each of these mitigations should be applied in the context of the customer’s overall multi-layered, “defense in depth” security strategy.

 

To address false positives detected by security scanning software and to upgrade any Log4j libraries of version 1.x through 2.16, Informatica plans to adopt Log4j library version 2.17.1 or later in upcoming product releases. The release version numbers will be published in the respective product Log4j Knowledge Base articles during the week of January 17.

 

CVE-2021-44228

 

Apache’s Description: “In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

 

Informatica’s Response:

  1. We have removed the JndiLookup class from the java files shipped with our products (as an EBF, for example) or provided instructions in our KB articles for customers to do the same. Our products do not use JNDI functionality.
  2. Using several published exploit sources, we tested our mitigation steps against a system configured as above to confirm the Informatica product was functional and was not vulnerable to this CVE.

 

CVE-2021-45046

 

Apache’s Description: “It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.”

 

Informatica’s Response:

  1. We have removed the JndiLookup class from the java files shipped with our products (as an EBF, for example) or provided instructions in our KB articles for customers to do the same. Our products do not use JNDI functionality.
  2. We analyzed how our products perform logging and confirmed that our products do not use a “Pattern Layout with a Context Lookup” for any user-controlled input from external sources. 
  3. Using several published exploit sources, we tested our mitigation steps against a system configured as above to confirm the Informatica product was functional and was not vulnerable to this CVE.

 

CVE-2021-45105

 

Apache’s Description: “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.”

 

Informatica’s Response:

  1. We analyzed how each of our products perform logging and specifically if they invoke Context Lookups. We confirmed that our products do not use JNDI lookups and do not use a “Pattern Layout with a Context Lookup” for any user-controlled input from external sources. 
  2. We tested several known published exploits against a system configured as above to confirm it was functional and not vulnerable to this CVE.

 

Informatica’s Approach:

When these vulnerabilities were first announced, Informatica's security and support teams promptly began monitoring our cloud systems and investigating any potential impact from these critical zero-day vulnerabilities.

 

In parallel, our product security teams analyzed how our cloud and on-premises applications potentially used these libraries within Informatica’s code. Patching and remediation of the first vulnerability, based on initial guidance from the Apache Software Foundation, was completed for Cloud Services, Cloud Hosted, and current releases of our on-premises products. Remediation per Apache’s revised guidance is currently underway for some of our older versions of our products, with product-specific details updated at the links above.

 

We have contacted our critical vendors, service providers, and supply chain partners, to confirm they have followed Apache’s guidance and to report any impact these Apache vulnerabilities may have had. We are not aware of any impact to Informatica or our customers due to these vulnerabilities, and we continue to monitor the situation.

 

Vulnerability Details:

Apache Log4j2 is a third-party open-source component used by many software and online services, including Informatica products. According to the published vulnerabilities, Apache Log4j2 versions before 2.17.0 in some configurations do not protect against attacker-controlled log messages and other input.

 

These vulnerabilities can allow an attacker to execute arbitrary code or exhaust resources by sending specially-crafted log messages and other data unless specific mitigations are applied. For more information on these specific vulnerabilities, visit the Apache Log4j website.

Filter Blog

By date: By tag: