Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
general:secadv-2021-01 [2021/12/16 11:44] – [Mitigation and Fix] alz | general:secadv-2021-01 [2024/02/15 00:00] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Security Advisory 2021-01 ====== | + | ====== Security Advisory 2021-01 |
===== Summary ===== | ===== Summary ===== | ||
- | Mitigation | + | Resolution |
===== Release Date ===== | ===== Release Date ===== | ||
2021-12-13 | 2021-12-13 | ||
+ | |||
+ | Updated to announce fixed software versions on 2021-12-18, 2021-12-22, and 2021-12-28 | ||
===== Affected Versions ===== | ===== Affected Versions ===== | ||
Line 13: | Line 15: | ||
To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x). | To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x). | ||
- | |||
===== Description ===== | ===== Description ===== | ||
Line 25: | Line 26: | ||
If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. | If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. | ||
- | ===== Mitigation and Fix ===== | + | Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, |
- | The mitigation has already been applied to all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service. | + | ===== Resolution ===== |
- | If you are using Stages on premise, | + | If you are using Stages on premise, |
- | \\ | + | |
- | If you can' | + | |
+ | The instructions how to obtain and install those releases have been sent to all customers. If do not receive the release notifications, | ||
+ | |||
+ | The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service. | ||
+ | |||
+ | ===== Mitigation ===== | ||
+ | |||
+ | If you are unable to upgrade your server instances immediately, | ||
==== Linux ==== | ==== Linux ==== | ||
- | Add the parameter " | + | Add the parameter " |
CONF_JAVA_OPTS=" | CONF_JAVA_OPTS=" | ||
Line 42: | Line 48: | ||
</ | </ | ||
- | Add the parameter " | + | Add the parameter " |
<code level1> | <code level1> | ||
Line 59: | Line 65: | ||
==== Windows ==== | ==== Windows ==== | ||
- | Start a command line interface with administrative permissions: | + | Start a command line interface with administrative permissions. |
- | + | ||
- | [[https:// | + | |
Navigate to your Stages installation via the " | Navigate to your Stages installation via the " | ||
- | Edit <font 11.0pt/ | + | Edit < |
+ | <code -> | ||
set JAVA_OPTS=-XX: | set JAVA_OPTS=-XX: | ||
- | |||
</ | </ | ||
- | Add the parameter " | + | Add the parameter " |
- | < | + | < |
[...] | [...] | ||
# log4j 2 | # log4j 2 | ||
Line 80: | Line 84: | ||
-Dlog4j2.formatMsgNoLookups=true | -Dlog4j2.formatMsgNoLookups=true | ||
[...] | [...] | ||
- | |||
</ | </ | ||
- | Navigate to <font 11.0pt/ | + | Navigate to < |
Restart both the " | Restart both the " | ||
- | **<font inherit/ | + | **IMPORTANT: |
===== Note ===== | ===== Note ===== | ||
- | Please note that those configuration changes mitigate the issue by disabling the vulnerable code in Stages V7. To fix the issue, we strongly suggest to upgrade your instances to Stages 7.7.3.2 or 7.6.5.1. These releases will be sent to all customers. If your IT responsibles do not receive the relese notifications, | + | Please note that those configuration changes |
- | Stages V6 still uses Log4J 1.x - which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant. | + | Stages V6 still uses Log4J 1.x, which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant. |
Please contact the Stages customer care team via [[stages-support@methodpark.com|]] in case you need further support or if you are not able to update your system configuration at this time. | Please contact the Stages customer care team via [[stages-support@methodpark.com|]] in case you need further support or if you are not able to update your system configuration at this time. | ||