Both sides previous revisionPrevious revisionNext revision | Previous revision |
general:secadv-2021-01 [2021/12/28 21:02] – emr | general:secadv-2021-01 [2024/02/15 00:00] (current) – external edit 127.0.0.1 |
---|
If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. | If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. |
| |
Update for log4j 2.17.0 vulnerability from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages not Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigation's necessary. | Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages nor Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigations necessary. |
| |
===== Resolution ===== | ===== Resolution ===== |
==== Linux ==== | ==== Linux ==== |
| |
Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/bin/rc.conf</font> as shown here:<code> | Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to /opt/stages/bin/rc.conf as shown here:<code> |
| |
CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true" | CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true" |
</code> | </code> |
| |
Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/elasticsearch/config/jvm.options</font> as shown here: | Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to /opt/stages/elasticsearch/config/jvm.options as shown here: |
| |
<code level1> | <code level1> |
==== Windows ==== | ==== Windows ==== |
| |
Start a command line interface with administrative permissions: | Start a command line interface with administrative permissions. |
| |
[[https://doc.stagesasaservice.com/lib/exe/fetch.php?tok=d23ece&media=https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png|{{ https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?direct&600x359 }}]] | |
| |
Navigate to your Stages installation via the "cd" command. | Navigate to your Stages installation via the "cd" command. |
| |
Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>//config.bat// and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:<code> | Edit <STAGES_INSTALL_DIR>\//config.bat// and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//: |
| |
| <code -> |
set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true | set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true |
| |
</code> | </code> |
| |
Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\elasticsearch\config\</font>jvm.options as shown here: | Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <STAGES_INSTALL_DIR>\elasticsearch\config\jvm.options as shown here: |
| |
<code> | <code -> |
[...] | [...] |
# log4j 2 | # log4j 2 |
-Dlog4j2.formatMsgNoLookups=true | -Dlog4j2.formatMsgNoLookups=true |
[...] | [...] |
| |
</code> | </code> |
| |
Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.</font> \\ | Navigate to <STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//. |
Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands. | Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands. |
| |
**<font inherit/inherit;;#c0392b;;inherit>IMPORTANT:</font> it is necessary to perform the modifications on both services to be fully secure! ** | **IMPORTANT: it is necessary to perform the modifications on both services to be fully secure! ** |
| |
===== Note ===== | ===== Note ===== |