Patch critical security vulnerabilities (CVE-2021-44832, -45105, -45046, and -44228)

The Analysis App window in Analytics uses Apache Log4j. As a result, it is affected by the Log4j critical security vulnerabilities listed below, although the actual vulnerability for Analytics is low:

This list of vulnerabilities has grown as previous patches were found to be incomplete. We have a patch that will mitigate all of the above vulnerabilities in Analytics immediately.

Your options

Even though the risk for Analytics users is low, we still recommend addressing the vulnerability situation using one of the following options:

Upgrade to Analytics 15.1.1 For more information, see ACL for Windows Installation and Activation Guide.
Manually patch your existing version of Analytics Additional information and instructions continue below.

What is this patch?

This patch is an official release from Apache, Log4j's provider. It will mitigate CVE-2021-44832, CVE-2021-45105, CVE-2021-45046, CVE-2021-44228 in Analytics immediately.

Which versions of Analytics are vulnerable?

While the risk is low, all versions of Analytics up to and including version 15.1.0 are affected. Regardless of which version you have installed, we recommend either upgrading to the latest version of Analytics, which is 15.1.1, or manually patching your existing version of Analytics now.

Note

Versions of Analytics prior to version 15.1.0 are affected by other vulnerabilities and defects, which are not fixed by this manual patch. If you are using a version of Analytics prior to version 15.1.0, the recommended course of action is to upgrade to Analytics 15.1.1, which addresses all previously identified vulnerabilities and defects. For more information about previous fixes, see Release notes.

How to install the patch

Note

If ACL for Windows is installed in your Program Files folder, you must have administrator privileges on your computer to do this patch. If you can't do the patch yourself, speak to your system administrator for assistance.

This patch needs to be installed on each individual computer that has Analytics. You can install it through a batch script or manually.

If have more than one version of Analytics installed side by side, you need to patch all installed versions separately.

Batch script method

Use this method only if Analytics is installed in its default location (C:\Program Files (x86)\ACL Software\ACL for Windows <<version>>). If Analytics is installed elsewhere, use the manual method described below.

Close Analytics and ACL for Windows if they are open.
Download this zipped folder to your computer.
Unzip the folder to an easy location, like C:/temp/patch.
Open a Windows command prompt in administrator mode.
Switch to the folder you just created. For example, if you unzipped to C:/temp/patch, type:
```
cd c:\temp\patch
```
Run the batch script from the folder you unzipped.
```
.\do_replace.bat
```

Manual method

Close Analytics and ACL for Windows if they are open.
Download this zipped folder to your computer.
Unzip the folder.
Go to the folder where ACL for Windows is installed. For example, C:\Program Files (x86)\ACL Software\ACL for Windows 15.
Open the ACL App folder.
Replace acl-service.ini with the new version of that file, which you just downloaded.
Open the lib folder.
Replace the four *.jar files listed below with the new versions of the files that you just downloaded. The new versions have 2.17.1 in the file name.
- log4j-1.2-api-2.8.2.jar
- log4j-api-2.8.2.jar
- log4j-core-2.8.2.jar
- log4j-slf4j-impl-2.8.2.jar

You may also need to patch Analytics Exchange

If your organization uses Analytics Exchange, a system administrator should patch or upgrade it as well. See the instructions to patch Analytics Exchange.