Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
general:secadv-2021-01 [2021/12/22 13:25] emrgeneral:secadv-2021-01 [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== Security Advisory 2021-01 [UPDATED] ======+====== Security Advisory 2021-01 [LAST UPDATED 2021-12-28] ======
  
 ===== Summary ===== ===== Summary =====
Line 8: Line 8:
 2021-12-13 2021-12-13
  
-Updated to announce fixed software versions on 2021-12-16 and 2021-12-22+Updated to announce fixed software versions on 2021-12-18, 2021-12-22, and 2021-12-28
  
 ===== Affected Versions ===== ===== Affected Versions =====
Line 25: Line 25:
  
 If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately. If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately.
 +
 +Update for log4j 2.17.0 vulnerability RCE CVE-2021-44832 from 2021-12-28: Stages does not use log4j in the described configuration, so neither Stages nor Elasticsearch can be exploited through this vulnerability. There are no updates or other mitigations necessary.
  
 ===== Resolution ===== ===== Resolution =====
Line 33: Line 35:
  
 The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service. The issue has already been resolved on all Stages Cloud instances. There is no further action required for customers that use Stages Cloud / Stages as a Service.
 +
 +===== Mitigation =====
  
 If you are unable to upgrade your server instances immediately, please perform the following updates for mitigation to your configuration: If you are unable to upgrade your server instances immediately, please perform the following updates for mitigation to your configuration:
Line 38: Line 42:
 ==== Linux ==== ==== Linux ====
  
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/bin/rc.conf</font> as shown here:<code>+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to /opt/stages/bin/rc.conf as shown here:<code>
  
 CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true" CONF_JAVA_OPTS="-Dsun.net.inetaddr.ttl=30 -Xrs -Djava.awt.headless=true -Dlog4j2.formatMsgNoLookups=true"
Line 44: Line 48:
 </code> </code>
  
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font inherit/Courier New,Courier,monospace;;inherit;;inherit>/opt/stages/elasticsearch/config/jvm.options</font> as shown here:+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to /opt/stages/elasticsearch/config/jvm.options as shown here:
  
 <code level1> <code level1>
Line 61: Line 65:
 ==== Windows ==== ==== Windows ====
  
-Start a command line interface with administrative permissions+Start a command line interface with administrative permissions.
- +
-[[https://doc.stagesasaservice.com/lib/exe/fetch.php?tok=d23ece&media=https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png|{{  https://doc.stagesasaservice.com/lib/plugins/ckgedit/fckeditor/userfiles/image/general/cmdadministrative.png?direct&600x359  }}]]+
  
 Navigate to your Stages installation via the "cd" command. Navigate to your Stages installation via the "cd" command.
  
-Edit <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\</font>//config.bat//  and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:<code>+Edit <STAGES_INSTALL_DIR>\//config.bat//  and add the parameter "-Dlog4j2.formatMsgNoLookups=true" to the line //JAVA_OPTS as shown here//:
  
 +<code ->
 set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true set JAVA_OPTS=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Xrs -Dsun.net.inetaddr.ttl=30 -Dlog4j2.formatMsgNoLookups=true
- 
 </code> </code>
  
-Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\elasticsearch\config\</font>jvm.options as shown here:+Add the parameter "-Dlog4j2.formatMsgNoLookups=true" to <STAGES_INSTALL_DIR>\elasticsearch\config\jvm.options as shown here:
  
-<code>+<code ->
 [...] [...]
 # log4j 2 # log4j 2
Line 82: Line 84:
 -Dlog4j2.formatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true
 [...] [...]
- 
 </code> </code>
  
-Navigate to <font 11.0pt/inherit;;inherit;;inherit><STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//.</font> \\+Navigate to <STAGES_INSTALL_DIR>\bin and run //reinstallService.bat//. 
 Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands. Restart both the "Stages" and the "Stages Search" services either via the "Services" application or the respective "net stop" and "net start" commands.
  
-**<font inherit/inherit;;#c0392b;;inherit>IMPORTANT:</font> it is necessary to perform the modifications on both services to be fully secure! **+**IMPORTANT: it is necessary to perform the modifications on both services to be fully secure! ** 
  
 ===== Note ===== ===== Note =====