Resolution for Jakarta Log4J2 Vulnerability described in CVE-2021-44228 also known as Log4Shell or LogJam

2021-12-13

• All 7.x versions before 7.6.5.1 and 7.7.3.2

To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x).

A critical vulnerability has been found in the Jakarta Log4J2 Framework. This framework is being used in the Stages ElasticSearch subsystem.

As most Stages instances are not accessible from the public internet and dedicated user credentials are required for access, the Stages vulnerability is not as critical as described in the original advisory.

Our current analysis shows that it is not possible to exploit the vulnerability at this time in a standard Stages installation. None of the systems analyzed by Method Park by UL including all Stages Cloud instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted.

If you see indications of unauthorized usage, please contact security-alerts@methodpark.com immediately.

If you are using Stages on premise, upgrade to versions 7.7.3.2 or 7.6.5.1.

These releases will be sent to all customers. If your IT responsibles do not receive the release notifications, please contact the Stages customer care team via stages-support@methodpark.com

The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service.

If you can't upgrade your server instances immediately - for mitigation - please perform the following updates to your configuration:

Add the parameter “-Dlog4j2.formatMsgNoLookups=true” to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/bin/rc.conf</font> as shown here:

CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true"

Add the parameter “-Dlog4j2.formatMsgNoLookups=true” to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/elasticsearch/config/jvm.options</font> as shown here:

[...]
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j2.formatMsgNoLookups=true
[...]

Restart Stages via “stages restart” or “sudo stages restart”

Start a command line interface with administrative permissions:

Navigate to your Stages installation via the “cd” command.

Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>config.bat and add the parameter “-Dlog4j2.formatMsgNoLookups=true” to the line JAVA_OPTS as shown here:

set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true

Add the parameter “-Dlog4j2.formatMsgNoLookups=true” to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\elasticsearch\config\</font>jvm.options as shown here:

[...]
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j2.formatMsgNoLookups=true
[...]

Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run reinstallService.bat.</font>
Restart both the “Stages” and the “Stages Search” services either via the “Services” application or the respective “net stop” and “net start” commands.

<font inherit/inherit;;#c0392b;;inherit>IMPORTANT:</font> it is necessary to perform the modifications on both services to be fully secure!

Please note that those configuration changes only mitigate the issue by disabling the vulnerable code in Stages V7. To fix the issue, we strongly suggest to upgrade your instances to Stages 7.7.3.2 or 7.6.5.1.

Stages V6 still uses Log4J 1.x - which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant.

Please contact the Stages customer care team via stages-support@methodpark.com in case you need further support or if you are not able to update your system configuration at this time.