Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
general:secadv-2021-01 [2021/12/16 13:04] – emr | general:secadv-2021-01 [2024/02/13 17:15] – [Windows] emr | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Security Advisory 2021-01 [UPDATED] ====== | + | ====== Security Advisory 2021-01 [LAST UPDATED |
===== Summary ===== | ===== Summary ===== | ||
Line 8: | Line 8: | ||
2021-12-13 | 2021-12-13 | ||
- | Updated to announce fixed software | + | Updated to announce fixed software |
===== Affected Versions ===== | ===== Affected Versions ===== | ||
Line 25: | Line 25: | ||
If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. | If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. | ||
+ | |||
+ | Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, | ||
===== Resolution ===== | ===== Resolution ===== | ||
- | If you are using Stages on premise, upgrade to versions 7.7.3.2 or 7.6.5.1. | + | If you are using Stages on premise, |
- | These releases | + | The instructions how to obtain and install those releases |
The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service. | The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service. | ||
+ | |||
+ | ===== Mitigation ===== | ||
If you are unable to upgrade your server instances immediately, | If you are unable to upgrade your server instances immediately, | ||
Line 63: | Line 67: | ||
Start a command line interface with administrative permissions: | Start a command line interface with administrative permissions: | ||
- | [[https:// | + | {{ https:// |
Navigate to your Stages installation via the " | Navigate to your Stages installation via the " | ||
- | Edit <font 11.0pt/ | + | Edit <font 11.0pt/ |
+ | <code -> | ||
set JAVA_OPTS=-XX: | set JAVA_OPTS=-XX: | ||
- | |||
</ | </ | ||
Add the parameter " | Add the parameter " | ||
- | < | + | < |
[...] | [...] | ||
# log4j 2 | # log4j 2 | ||
Line 82: | Line 86: | ||
-Dlog4j2.formatMsgNoLookups=true | -Dlog4j2.formatMsgNoLookups=true | ||
[...] | [...] | ||
- | |||
</ | </ | ||
- | Navigate to <font 11.0pt/ | + | Navigate to <font 11.0pt/ |
- | Restart both the " | + | |
+ | **IMPORTANT: | ||
- | **<font inherit/ | ||
===== Note ===== | ===== Note ===== | ||
- | Please note that those configuration changes only mitigate the issue by disabling the vulnerable code in Stages V7. To fix the issue, we strongly suggest to upgrade your instances to Stages 7.7.3.2 or 7.6.5.1. | + | Please note that those configuration changes only mitigate the issue by disabling the vulnerable code in Stages V7. To fix the issue, we strongly suggest to upgrade your instances to Stages 7.7.3.3, 7.6.5.3, or 7.5.7.2. |
Stages V6 still uses Log4J 1.x, which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant. | Stages V6 still uses Log4J 1.x, which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant. |