Updated 10 February 2022
The National Vulnerability Database has logged a vulnerability for packages using Apache Log4j, versions 2 through 2.14.1. Basis has audited our code and determined that the only products impacted are RNI Web Services, which is deprecated and Rosette Server, which doesn't log user input. Our Elasticsearch plugins support versions of Elasticsearch which are impacted. All other products which use log4j use version 1.2, so they are not affected.
More information on log4j can be found at: https://logging.apache.org/log4j/2.x/index.html
RNI Web Services
This vulnerability has been removed in RNI version 7.36.1.c65.0. It now uses the 2.17.1 version of log4j.
These changes are only necessary for RNI Web Services customers. If you do not use the RNI Web Services component, no action is necessary. RNI Web Services is a deprecated component.
If you are using a previous version and using RNI Web Services, we recommend you take one of the following actions:
Stop RNI Web Service, navigate to the
bt_root/rlpnc/rws-names/lib/ directory, execute this command to remove the vulnerable code from the log4j jar files and restart the RNI Web Service
zip -q -d log4j-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Rosette Server uses
log4j but does not log the user input, We have removed the vulnerability in Rosette Server.
We upgraded log4j to version 2.16 in 1.20.1.
We upgraded log4j to version 2.17 in 1.20.2.
We upgraded log4j to version 2.17.1 in 1.20.3.
We released 1.20.4 to update RNI to the RNI 7.36.1.c65.0 root.
To patch earlier Rosette Server releases:
We've released RNI-ES 22.214.171.124 from which the vulnerable version of log4j was removed.
We've released RNI-ES 126.96.36.199 from which the vulnerable version of log4j was removed.
We've released RNI-ES 188.8.131.52 to support Elasticsearch 7.16.2 which does not have the vulnerability.
We've released RBL-ES 184.108.40.206 to support Elasticsearch 6.8.22 which does not have the vulnerability.
We've released RBL-ES 220.127.116.11 to support Elasticsearch 7.16.2 which does not have the vulnerability.