Apache Log4j2 Issue

Webtrends is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). Systems and services that use the Log4j Java logging library between versions 2.0 and 2.14.1 are all affected.

Webtrends uses an older version of Log4j (1.2.15) which is not directly vulnerable as it does not offer a JNDI look up mechanism. However, Log4j 1.x comes with JMSAppender, which will perform a JNDI lookup if enabled in Log4j's configuration file.

Read below for steps we are taking for our products.

On Demand

Mitigation
Webtrends uses a Web Application Firewall to protect Internet-facing systems. The WAF rules have been updated to protect against this exploit.

Detection
We have reviewed security logs and have not seen any attempts to exploit this vulnerability.

Remediation
We are upgrading log4j libraries to log4j2 v2.17.

On Premises

Webtrends Analytics On-Premesis clients should download the hotfix below and run on their Webtrends systems. Please contact Technical Support for assistance.

3rd Party Vendors

Webtrends is reaching out to our vendors to ensure they are aware and updating their systems accordingly.

Amazon Web Services has already taken steps and is communicating updates here: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

Entrust has communicated to Webtrends that mitigations are in effect and no actions are required.

Salesforce has already taken steps and is communicating updates here: https://help.salesforce.com/s/articleView?id=000363736&type=1