Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
general:secadv-2021-01 [2021/12/16 11:36] – [Note] alz | general:secadv-2021-01 [2024/02/15 00:00] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Security Advisory 2021-01 ====== | + | ====== Security Advisory 2021-01 |
===== Summary ===== | ===== Summary ===== | ||
- | Mitigation | + | Resolution |
===== Release Date ===== | ===== Release Date ===== | ||
2021-12-13 | 2021-12-13 | ||
+ | |||
+ | Updated to announce fixed software versions on 2021-12-18, 2021-12-22, and 2021-12-28 | ||
===== Affected Versions ===== | ===== Affected Versions ===== | ||
Line 13: | Line 15: | ||
To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x). | To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x). | ||
- | |||
===== Description ===== | ===== Description ===== | ||
Line 25: | Line 26: | ||
If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. | If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. | ||
- | ===== Mitigation ===== | + | Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, |
- | The mitigation | + | ===== Resolution ===== |
+ | |||
+ | If you are using Stages on premise, **upgrade to versions 7.7.3.3, 7.6.5.3, or 7.5.7.2. **If you still run version 7.0, 7.1, 7.2, 7.3, or 7.4, we strongly suggest to upgrade to 7.6 or 7.7. | ||
+ | |||
+ | The instructions how to obtain and install those releases have been sent to all customers. If do not receive the release notifications, | ||
+ | |||
+ | The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service. | ||
+ | |||
+ | ===== Mitigation ===== | ||
- | If you are using Stages on premise, please perform the following updates to your configuration: | + | If you are unable to upgrade your server instances immediately, please perform the following updates |
==== Linux ==== | ==== Linux ==== | ||
- | Add the parameter " | + | Add the parameter " |
CONF_JAVA_OPTS=" | CONF_JAVA_OPTS=" | ||
Line 39: | Line 48: | ||
</ | </ | ||
- | Add the parameter " | + | Add the parameter " |
<code level1> | <code level1> | ||
Line 56: | Line 65: | ||
==== Windows ==== | ==== Windows ==== | ||
- | Start a command line interface with administrative permissions: | + | Start a command line interface with administrative permissions. |
- | + | ||
- | [[https:// | + | |
Navigate to your Stages installation via the " | Navigate to your Stages installation via the " | ||
- | Edit <font 11.0pt/ | + | Edit < |
+ | <code -> | ||
set JAVA_OPTS=-XX: | set JAVA_OPTS=-XX: | ||
- | |||
</ | </ | ||
- | Add the parameter " | + | Add the parameter " |
- | < | + | < |
[...] | [...] | ||
# log4j 2 | # log4j 2 | ||
Line 77: | Line 84: | ||
-Dlog4j2.formatMsgNoLookups=true | -Dlog4j2.formatMsgNoLookups=true | ||
[...] | [...] | ||
- | |||
</ | </ | ||
- | Navigate to <font 11.0pt/ | + | Navigate to < |
Restart both the " | Restart both the " | ||
- | **<font inherit/ | + | **IMPORTANT: |
===== Note ===== | ===== Note ===== | ||
- | Please note that those configuration changes mitigate the issue by disabling the vulnerable code in Stages V7. We strongly suggest to upgrade your instances to Stages 7.7.3.2 or 7.6.5.1. These releases will be sent to all customers. If your IT responsibles do not receive the relese notifications, | + | Please note that those configuration changes |
- | Stages V6 still uses Log4J 1.x - which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant. | + | Stages V6 still uses Log4J 1.x, which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant. |
Please contact the Stages customer care team via [[stages-support@methodpark.com|]] in case you need further support or if you are not able to update your system configuration at this time. | Please contact the Stages customer care team via [[stages-support@methodpark.com|]] in case you need further support or if you are not able to update your system configuration at this time. | ||