Differences

This shows you the differences between two versions of the page.

--- general:secadv-2021-01 [2021/12/22 13:26] – emr
+++ general:secadv-2021-01 [2024/02/15 00:00] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Security Advisory 2021-01 [UPDATED] ======
+====== Security Advisory 2021-01 [LAST UPDATED 2021-12-28] ======
 ===== Summary =====
@@ Line 8: / Line 8: @@
 -12-13
-Updated to announce fixed software versions on 2021-12-16 and 2021-12-22
+Updated to announce fixed software versions on 2021-12-18, 2021-12-22, and 2021-12-28
 ===== Affected Versions =====
@@ Line 25: / Line 25: @@
 If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately.
+Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages nor Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigations necessary.
 ===== Resolution =====
@@ Line 40: / Line 42: @@
 ==== Linux ====
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/bin/rc.conf</font> as shown here:<code>
+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to /opt/stages/bin/rc.conf as shown here:<code>
 CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true"
@@ Line 46: / Line 48: @@
 </code>
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/elasticsearch/config/jvm.options</font> as shown here:
+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to /opt/stages/elasticsearch/config/jvm.options as shown here:
 <code level1>
@@ Line 63: / Line 65: @@
 ==== Windows ====
-Start a command line interface with administrative permissions:
+Start a command line interface with administrative permissions.
-[[https://doc.stagesasaservice.com/lib/exe/fetch.php?tok=d23ece&media=https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png|{{  https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?direct&600x359  }}]]
 Navigate to your Stages installation via the "cd" command.
-Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>//config.bat//  and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:<code>
+Edit <STAGES_INSTALL_DIR>\//config.bat//  and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:
+<code ->
 set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true
 </code>
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\elasticsearch\config\</font>jvm.options as shown here:
+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <STAGES_INSTALL_DIR>\elasticsearch\config\jvm.options as shown here:
-<code>
+<code ->
 [...]
 # log4j 2
@@ Line 84: / Line 84: @@
 -Dlog4j2.formatMsgNoLookups=true
 [...]
 </code>
-Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.</font> \\
+Navigate to <STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.
 Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands.
-**<font inherit/inherit;;#c0392b;;inherit>IMPORTANT:</font> it is necessary to perform the modifications on both services to be fully secure! **
+**IMPORTANT: it is necessary to perform the modifications on both services to be fully secure! **
 ===== Note =====