Security Advisory 2021-01 [LAST UPDATED 2021-12-28]

Summary

Resolution for Jakarta Log4J2 Vulnerability described in CVE-2021-44228 also known as Log4Shell or LogJam

Release Date

2021-12-13

Updated to announce fixed software versions on 2021-12-18, 2021-12-22, and 2021-12-28

Affected Versions

  • All 7.x versions before 7.6.5.1 and 7.7.3.2

To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x).

Description

A critical vulnerability has been found in the Jakarta Log4J2 Framework. This framework is being used in the Stages ElasticSearch subsystem.

As most Stages instances are not accessible from the public internet and dedicated user credentials are required for access, the Stages vulnerability is not as critical as described in the original advisory.

Our current analysis shows that it is not possible to exploit the vulnerability at this time in a standard Stages installation. None of the systems analyzed by Method Park by UL including all Stages Cloud instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted.

If you see indications of unauthorized usage, please contact security-alerts@methodpark.com immediately.

Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages nor Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigations necessary.

Resolution

If you are using Stages on premise, upgrade to versions 7.7.3.3, 7.6.5.3, or 7.5.7.2. If you still run version 7.0, 7.1, 7.2, 7.3, or 7.4, we strongly suggest to upgrade to 7.6 or 7.7.

The instructions how to obtain and install those releases have been sent to all customers. If do not receive the release notifications, please contact the Stages customer care team via stages-support@methodpark.com

The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service.

Mitigation

If you are unable to upgrade your server instances immediately, please perform the following updates for mitigation to your configuration:

Linux

Add the parameter “-Dlog4j2.formatMsgNoLookups=true” to /opt/stages/bin/rc.conf as shown here:

CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true"

Add the parameter “-Dlog4j2.formatMsgNoLookups=true” to /opt/stages/elasticsearch/config/jvm.options as shown here:

[...]
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j2.formatMsgNoLookups=true
[...]

Restart Stages via “stages restart” or “sudo stages restart”

Windows

Start a command line interface with administrative permissions.

Navigate to your Stages installation via the “cd” command.

Edit <STAGES_INSTALL_DIR>\config.bat and add the parameter “-Dlog4j2.formatMsgNoLookups=true” to the line JAVA_OPTS as shown here:

set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true

Add the parameter “-Dlog4j2.formatMsgNoLookups=true” to <STAGES_INSTALL_DIR>\elasticsearch\config\jvm.options as shown here:

[...]
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j2.formatMsgNoLookups=true
[...]

Navigate to <STAGES_INSTALL_DIR>\bin and run reinstallService.bat.

Restart both the “Stages” and the “Stages Search” services either via the “Services” application or the respective “net stop” and “net start” commands.

IMPORTANT: it is necessary to perform the modifications on both services to be fully secure!

Note

Please note that those configuration changes only mitigate the issue by disabling the vulnerable code in Stages V7. To fix the issue, we strongly suggest to upgrade your instances to Stages 7.7.3.3, 7.6.5.3, or 7.5.7.2.

Stages V6 still uses Log4J 1.x, which is only affected by this issue under very special conditions. In the usage of Log4J with Stages V6 these conditions do not apply, thus making the issue irrelevant.

Please contact the Stages customer care team via stages-support@methodpark.com in case you need further support or if you are not able to update your system configuration at this time.