Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
general:secadv-2021-01 [2021/12/22 13:25] – emr | general:secadv-2021-01 [2024/02/13 17:15] – [Windows] emr |
---|
====== Security Advisory 2021-01 [UPDATED] ====== | ====== Security Advisory 2021-01 [LAST UPDATED 2021-12-28] ====== |
| |
===== Summary ===== | ===== Summary ===== |
2021-12-13 | 2021-12-13 |
| |
Updated to announce fixed software versions on 2021-12-16 and 2021-12-22 | Updated to announce fixed software versions on 2021-12-18, 2021-12-22, and 2021-12-28 |
| |
===== Affected Versions ===== | ===== Affected Versions ===== |
| |
If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. | If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. |
| |
| Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages nor Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigations necessary. |
| |
===== Resolution ===== | ===== Resolution ===== |
| |
The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service. | The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service. |
| |
| ===== Mitigation ===== |
| |
If you are unable to upgrade your server instances immediately, please perform the following updates for mitigation to your configuration: | If you are unable to upgrade your server instances immediately, please perform the following updates for mitigation to your configuration: |
Start a command line interface with administrative permissions: | Start a command line interface with administrative permissions: |
| |
[[https://doc.stagesasaservice.com/lib/exe/fetch.php?tok=d23ece&media=https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png|{{ https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?direct&600x359 }}]] | {{ https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?600x359 |https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png}}[[https://doc.stagesasaservice.com/lib/exe/fetch.php?tok=d23ece&media=https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png|{{ https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?600x359 }}]] |
| |
Navigate to your Stages installation via the "cd" command. | Navigate to your Stages installation via the "cd" command. |
| |
Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>//config.bat// and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:<code> | Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>//config.bat// and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//: |
| |
| <code -> |
set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true | set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true |
| |
</code> | </code> |
| |
Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\elasticsearch\config\</font>jvm.options as shown here: | Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\elasticsearch\config\</font>jvm.options as shown here: |
| |
<code> | <code -> |
[...] | [...] |
# log4j 2 | # log4j 2 |
-Dlog4j2.formatMsgNoLookups=true | -Dlog4j2.formatMsgNoLookups=true |
[...] | [...] |
| |
</code> | </code> |
| |
Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.</font> \\ | Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.</font> \\ Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands. |
Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands. | |
| **IMPORTANT: it is necessary to perform the modifications on both services to be fully secure! ** |
| |
**<font inherit/inherit;;#c0392b;;inherit>IMPORTANT:</font> it is necessary to perform the modifications on both services to be fully secure! ** | |
| |
===== Note ===== | ===== Note ===== |