Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
general:secadv-2021-01 [2021/12/16 11:57] – [Mitigation and Fix] alzgeneral:secadv-2021-01 [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== Security Advisory 2021-01 ======+====== Security Advisory 2021-01 [LAST UPDATED 2021-12-28] ======
  
 ===== Summary ===== ===== Summary =====
  
-Mitigation for Jakarta Log4J2 Vulnerability described in [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228|CVE-2021-44228]] also known as **#Log4Shell** or **LogJam**+Resolution for Jakarta Log4J2 Vulnerability described in [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228|CVE-2021-44228]] also known as **Log4Shell** or **LogJam**
 ===== Release Date ===== ===== Release Date =====
  
 2021-12-13 2021-12-13
 +
 +Updated to announce fixed software versions on 2021-12-18, 2021-12-22, and 2021-12-28
  
 ===== Affected Versions ===== ===== Affected Versions =====
Line 13: Line 15:
  
 To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x). To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x).
- 
  
 ===== Description ===== ===== Description =====
Line 25: Line 26:
 If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately.
  
-===== Mitigation and Fix =====+Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages nor Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigations necessary.
  
-The mitigation or fix has already been applied to all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service.+===== Resolution =====
  
-If you are using Stages on premise, we strongly suggest to upgrade your Stages instances to Stages 7.7.3.2 or 7.6.5.1 to fix the issueThese releases will be sent to all customersIf your IT responsibles do not receive the release notifications, please contact the Stages customer care team via [[stages-support@methodpark.com|]]\\ +If you are using Stages on premise, **upgrade to versions 7.7.3.3, 7.6.5.3, or 7.5.7.2. **If you still run version 7.0, 7.1, 7.2, 7.3, or 7.4, we strongly suggest to upgrade to 7.6 or 7.7.
-\\ +
-If you can'upgrade your server instances immediately - for mitigation - please perform the following updates to your configuration:+
  
 +The instructions how to obtain and install those releases have been sent to all customers. If do not receive the release notifications, please contact the Stages customer care team via [[stages-support@methodpark.com|]]
 +
 +The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service.
 +
 +===== Mitigation =====
 +
 +If you are unable to upgrade your server instances immediately, please perform the following updates for mitigation to your configuration:
  
 ==== Linux ==== ==== Linux ====
  
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/bin/rc.conf</font> as shown here:<code>+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to /opt/stages/bin/rc.conf as shown here:<code>
  
 CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true" CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true"
Line 42: Line 48:
 </code> </code>
  
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/elasticsearch/config/jvm.options</font> as shown here:+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to /opt/stages/elasticsearch/config/jvm.options as shown here:
  
 <code level1> <code level1>
Line 59: Line 65:
 ==== Windows ==== ==== Windows ====
  
-Start a command line interface with administrative permissions+Start a command line interface with administrative permissions.
- +
-[[https://doc.stagesasaservice.com/lib/exe/fetch.php?tok=d23ece&media=https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png|{{  https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?direct&600x359  }}]]+
  
 Navigate to your Stages installation via the "cd" command. Navigate to your Stages installation via the "cd" command.
  
-Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>//config.bat//  and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:<code>+Edit <STAGES_INSTALL_DIR>\//config.bat//  and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:
  
 +<code ->
 set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true
- 
 </code> </code>
  
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\elasticsearch\config\</font>jvm.options as shown here:+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <STAGES_INSTALL_DIR>\elasticsearch\config\jvm.options as shown here:
  
-<code>+<code ->
 [...] [...]
 # log4j 2 # log4j 2
Line 80: Line 84:
 -Dlog4j2.formatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true
 [...] [...]
- 
 </code> </code>
  
-Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.</font> \\+Navigate to <STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//. 
 Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands. Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands.
  
-**<font inherit/inherit;;#c0392b;;inherit>IMPORTANT:</font> it is necessary to perform the modifications on both services to be fully secure! **+**IMPORTANT: it is necessary to perform the modifications on both services to be fully secure! ** 
  
 ===== Note ===== ===== Note =====
  
-Please note that those configuration changes only mitigate the issue by disabling the vulnerable code in Stages V7. To fix the issue, we strongly suggest to upgrade your instances to Stages 7.7.3.2 or 7.6.5.1.+Please note that those configuration changes only mitigate the issue by disabling the vulnerable code in Stages V7. To fix the issue, we strongly suggest to upgrade your instances to Stages 7.7.3.3, 7.6.5.3, or 7.5.7.2.
  
-Stages V6 still uses Log4J 1.x which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant.+Stages V6 still uses Log4J 1.xwhich is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant.
  
 Please contact the Stages customer care team via [[stages-support@methodpark.com|]] in case you need further support or if you are not able to update your system configuration at this time. Please contact the Stages customer care team via [[stages-support@methodpark.com|]] in case you need further support or if you are not able to update your system configuration at this time.