Natrinsic Supplemental Netezza Documentation - CVE-2021-44228 log4j vulnerability

Natrinsic Supplemental Netezza Documentation - CVE-2021-44228 log4j vulnerability








Natrinsic Supplemental Netezza Documentation


log4j vulnerability & its impact on Netezza Appliances

CVE-2021-44228 & CVE-2021-4104


UPDATED December 22, 2021






Preface & Disclaimer


This document provides a high level overview of the CVE-2021-44228 log4j security vulnerability and it's impact on Netezza appliances.  As of December 16, 2021, the impacts and workarounds/resolutions for this security vulnerability remain something that our engineering team continues to assess, as such there may be further updates to the information contained herein and we recommend checking back for updates.

Natrinsic offers this guide only as a general overview; each customer may have unique requirements which cannot be covered in a general guide and as such Natrinsic does not warrant or guarantee the accuracy or completeness of this documentation.  Natrinsic will have no liability for any damages arising from the misuse of any information provided in this document.  Natrinsic also does not warrant or guarantee that any external links to third party websites will be active, correct or applicable for your situation.


Comments and Questions


If you require further clarification on the contents of this KB article, you may reach us via email at: support@natrinsic.com with the subject line “General Support Inquiry”.  Within the body of your email, provide your company name, your position and the system identifier of at least one system for which you have a current support contract. (e.g. NZ123456)



Overview of CVE-2021-44228, CVE-2021-4104


Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.   In relation to Netezza, log4j is used with the mapreduce cartridge (Analytics).   Update December 22, 2021: log4j version 1.x are impacted by CVE-2021-4104.  CVE-2021-44228 is not present on Netezza systems. By disabling the mapreduce cartridge, vulnerability  CVE-2021-4104 is removed.  It can also be noted that most Natrinsic customers who utilize Netezza do not have the mapreduce cartridge in use, but verification can and should be done using the details within this article.


Netezza Appliances Impacted:

  1. All Mako Systems, N3001

  2. All Generation 1 & Generation 2 Twinfin Systems, N200x



Remediation / Fix / Workarounds


Resolving the security vulnerability requires disabling the mapreduce cartridge functionality by removing the cartridge installation and registration.  The steps to do this require that you log into your system as the nz user and issue the following commands:


1.  Check whether mapreduce is installed
  1. $ nzcm --installed | grep mapreduce
2. If the output for the above command shows no output, or if the nzcm command is not found, then verify further with:

nzsql -db INZA -c "select * from product"

If you receive:
nzsql: FATAL 1: Database "INZA" does not exist.

then nothing further needs to be done to protect from this vulnerability as it is not present on your system.   However, if the output for the above command shows mapreduce is installed, then unregister and uninstall it.  
  1. $ nzcm -u mapreduce
  2. $ nzcm -e mapreduce
3. Verify that mapreduce is uninstalled:
  1. $ nzcm --installed | grep mapreduce

The following example shows an unregister and uninstall of mapreduce:

$ nzcm --installed | grep mapreduce
mapreduce     | 10.2.1.2 |

$ nzcm -u mapreduce
Following cartridges will be unregistered:
     mapreduce-10.2.1.2
Do you want to continue? (yes/no): yes
Unregistering: mapreduce-10.2.1.2
Cartridge 'mapreduce-10.2.1.2' unregistered
Log file:/nz/var/log/nzcm20211214.09_12_26.10222.log

$ nzcm -e mapreduce
Following cartridges will be uninstalled:
    mapreduce-10.2.1.2
Do you want to continue? (yes/no): yes
Uninstalling: mapreduce-10.2.1.2
Cartridge 'mapreduce-10.2.1.2' uninstalled
Log file:/nz/var/log/nzcm20211214.09_12_27.10301.log

$ nzcm --installed | grep mapreduce
$


Additional Help

If you require further clarification on the contents of this KB article, or the assistance of one of our engineers, you may reach us via email at: support@natrinsic.com with the subject line containing:

<ClientName>:<HostName>:CVE-2021-44228

where <ClientName> is replaced with the name of your organization, and <HostName> is replaced with the NZID of one of the Netezza appliances which has a valid support contract with Natrinsic.  Provided this format is followed, a support ticket will automatically be generated and our team will contact you.




Natrinsic Copyright 2021 – All Rights Reserved






    • Related Articles

    • Natrinsic Supplemental Documentation Series - Shutdown or Decommission of Netezza Appliances

      Natrinsic Supplemental Netezza Documentation Shutdown or Decommission of Netezza Appliances Preface & Disclaimer This document provides a high level overview of the administrative and optionally physical steps to take when shutting down or ...

    • How to Create a Ticket - Client and Partners

      The Natrinsic Helpdesk: A Guide for Our Customers Contents Preface Ticket Process Flow Comments and Questions Creating a Natrinsic Helpdesk Ticket Creating a ticket using the Online Ticketing System Creating a ticket by sending email to ...

    • Exadata Monitoring Configuration

      Exadata Monitoring Configuration: A Setup Guide for Our Customers Preface When technical assistance is required with your Exadata appliance, primary support is obtained by opening a ticket via the Natrinsic Helpdesk Ticketing System.  (Please refer ...