Hi,
May I please confirm that adding the JVM option -Dlog4j2.formatMsgNoLookups=true to Elastic Search installations to address the recently reported log4j vulnerability is an acceptable immediate/short term solution?
Dear Skyline teams, I would like to confirm that customers are asking for any sensitivity of DataMiner regarding the log4j vulnerability. Personally I don't think there is any relation because DataMiner is all .NET, however, some statement/guidance is requested by customers. Thanks, Jörg
Hi Jörg, DataMiner is indeed not impacted as we don’t use Java. But we have to be careful with Cassandra and Elastic. We’re currently making an assessment and we will publish a blog post today on this topic with our recommendations for Elastic and/or Cassandra.
To add to the context of this question, we are aware that there are multiple users of DataMiner who have raised questions regarding this security vulnerability for both DataMiner 9.6 and 10.1 in their production deployments. More info regarding the vulnerability found here https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
Some guidance of the applicability of this security vulnerability to DataMiner infrastructure (core software and any other third-party software e.g.: databases MSSQL, ES, Cassandra, etc) is requested.