Skip to main content
Delphix

TB095 Log4j Vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2019-17571, CVE-2021-4104)

 

 

Alert Type

Security

Summary

Based on our analysis, Delphix’s current and supported products are not susceptible to any of the known vulnerabilities in log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2019-17571, CVE-2021-4104). Delphix will stay current on the latest developments and will provide updates as needed.

The most serious of these CVEs (CVE-2021-44228) was recently disclosed and scored at the highest severity (CVSS 10.0). This vulnerability has the potential to result in remote code execution on an impacted target.

Impact

  • There is no impact to currently supported Delphix products.

  • Delphix Reporting (formerly known as “Mission Control”) has been EOL since July 1, 2021. Delphix Reporting uses a vulnerable log4j version, and it is exploitable. Customers are strongly encouraged to discontinue use of Delphix Reporting.

This impact assessment is applicable to all current and supported Delphix products. Details for all products can be found in our Delphix Product Lifecycle Policies.

The following versions of the Delphix Virtualization & Masking Engines and related environment toolkits are not impacted by the log4j vulnerabilities:

Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0
5.3 5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
5.2 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2
5.1 5.1.3.1, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4, 5.0.5.5

In addition, this means that the following products are not impacted by the log4j vulnerabilities:

  • Data Control Tower (DCT) SaaS

  • Data Control Tower (DCT) Multi Cloud

  • Virtualization SDK & Connectors

  • Masking Extensibility SDK

  • Delphix Connectors (Windows Connectors)

Mitigation

Discontinue use of Delphix Reporting (Mission Control).

All other products are not impacted by the log4j vulnerabilities. 

Resolution

Discontinue use of Delphix Reporting (Mission Control).

All other products are not impacted by the log4j vulnerabilities.