Natrinsic Supplemental Netezza Documentation
log4j vulnerability & its impact on Netezza Appliances
UPDATED December 22, 2021
This document provides a high level overview of the CVE-2021-44228 log4j security vulnerability and it's impact on Netezza appliances. As of December 16, 2021, the impacts and workarounds/resolutions for this security vulnerability remain something that our engineering team continues to assess, as such there may be further updates to the information contained herein and we recommend checking back for updates.
Natrinsic offers this guide only as a general overview; each customer may have unique requirements which cannot be covered in a general guide and as such Natrinsic does not warrant or guarantee the accuracy or completeness of this documentation. Natrinsic will have no liability for any damages arising from the misuse of any information provided in this document. Natrinsic also does not warrant or guarantee that any external links to third party websites will be active, correct or applicable for your situation.
If you require further clarification on the contents of this KB article, you may reach us via email at: support@natrinsic.com with the subject line “General Support Inquiry”. Within the body of your email, provide your company name, your position and the system identifier of at least one system for which you have a current support contract. (e.g. NZ123456)
Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. In relation to Netezza, log4j is used with the mapreduce cartridge (Analytics). Update December 22, 2021: log4j version 1.x are impacted by CVE-2021-4104. CVE-2021-44228 is not present on Netezza systems. By disabling the mapreduce cartridge, vulnerability CVE-2021-4104 is removed. It can also be noted that most Natrinsic customers who utilize Netezza do not have the mapreduce cartridge in use, but verification can and should be done using the details within this article.
Resolving the security vulnerability requires disabling the mapreduce cartridge functionality by removing the cartridge installation and registration. The steps to do this require that you log into your system as the nz user and issue the following commands:
If you require further clarification on the contents of this KB article, or the assistance of one of our engineers, you may reach us via email at: support@natrinsic.com with the subject line containing: