Differences

This shows you the differences between two versions of the page.

--- general:secadv-2021-01 [2021/12/28 21:03] – emr
+++ general:secadv-2021-01 [2024/02/13 17:15] – [Windows] emr
@@ Line 26: / Line 26: @@
 If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately.
-Update for log4j 2.17.0 vulnerability from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages nor Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigations necessary.
+Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages nor Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigations necessary.
 ===== Resolution =====
@@ Line 67: / Line 67: @@
 Start a command line interface with administrative permissions:
-[[https://doc.stagesasaservice.com/lib/exe/fetch.php?tok=d23ece&media=https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png|{{  https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?direct&600x359  }}]]
+{{ https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?600x359 |https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png}}[[https://doc.stagesasaservice.com/lib/exe/fetch.php?tok=d23ece&media=https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png|{{ https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?600x359 }}]]
 Navigate to your Stages installation via the "cd" command.
-Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>//config.bat//  and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:<code>
+Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>//config.bat//  and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:
+<code ->
 set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true
 </code>
 Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\elasticsearch\config\</font>jvm.options as shown here:
-<code>
+<code ->
 [...]
 # log4j 2
@@ Line 86: / Line 86: @@
 -Dlog4j2.formatMsgNoLookups=true
 [...]
+</code>
-</code>
+Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.</font> \\  Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands.
-Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.</font> \\
+**IMPORTANT: it is necessary to perform the modifications on both services to be fully secure! **
-Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands.
-**<font inherit/inherit;;#c0392b;;inherit>IMPORTANT:</font> it is necessary to perform the modifications on both services to be fully secure! **
 ===== Note =====