Applies To 

Apache Publication: Apache Log4j Remote Code Execution 

CVE-2021-44228 

Details

The following components are NOT affected:

• Archer Application *
•  Archer SaaS and Archer Hosted
• Archer Engage for Vendors
• Archer Engage for Business Users
• Archer Regulatory Content Analysis
• Archer Security Operations Management (SecOps) Solution

*Notes for Archer Application

1. The old GemFire caching service did make use of Log4j2 and the installer is designed to remove the folder, but if an error was encountered and skipped, it could still be present. The folder can be manually deleted. Without JRE present, it should pose no risk of exploitation.
2. The Open-Source component list for Archer mentions Log4j2 as it relates to Elasticsearch. See below.

The following components ARE affected:

•  Elasticsearch join-search plugin
  • Provided as a tool via the Archer platform installer for usage in joining Archer to the Elasticsearch cluster.
  • Log4j2 is present on the servers as part of the plugin but poses no risk as it cannot be executed from there. It is designed for use in an Elasticsearch cluster. If you are not using Elasticsearch the plug-in can be deleted from the tools directory.
  • Mitigation options if using Archer in an Elasticsearch cluster:
    • Block outbound internet access from your Elasticsearch cluster
    • Please check for any guidance issued by Elasticsearch
  • The Archer support for Elasticsearch is being deprecated. We recommend customers apply the above mitigation and work to eliminate Archer from their Elasticsearch deployments.

Next Steps

We are continuing to monitor this vulnerability. As we continue to review this, Archer systems will be updated with the latest indicators of compromise (IOCs) and will continuously monitor any use of this software in our environments.

This page will be updated with relevant information as Archer deems necessary. As is often the case in situations like this, as more information unfolds, additional CVEs and information are rolled out. If such additional information changes the information contained in this advisory, it will be updated.

Please check back regularly for more information or direct specific concerns to your RSA Account Manager and/or RSA Technical Support representative.

Legal Information

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.
RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title, and non-infringement.

In no event shall RSA, its affiliates, or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates, or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.