CVE-2021-44228 Multiple eptos Releases Security Advisory – Apache Log4j2 not protected against attacker controlled LDAP and other JNDI related endpoints Skip to end of metadata

Summary

CVE-2021-44228  – Apache Log4j2 <=2.14.1 not protected against attacker controlled LDAP and other JNDI related endpoints

Update Bulletin by 17.12.2021 15:00

Advisory Release Date 9th December 2021
Products
  • all eptos modules
  • eptos SearchEngine
Affected Releases eptos modules – all releases 5.3 – 6.1

eptos Search Engine 2.0 – 2.1

Fixed Releases
  • eptos 6.1.1
  • Search Engine 2.1.1
CVE ID CVE-2021-44228CVE-2021-45046
Issue ID

BASE-1388 – Vulnerability Log4Shell: Remote Code Execution on log4j2 – CVE-2021-44228 RESOLVED BASE-1393 – Vulnerability Bug CVE-2021-44228 in Apache Log4j 2.15.0 OPEN

Further information https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

https://www.wired.com/story/log4j-flaw-hacking-internet/

https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/

Overview

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true”.

Summary of Vulnerability

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default

eptos core is using impacted Log4j2 2.14 starting from Release 6.1

eptos APIs are using spring-boot that has a dependency to log4j-api 2.13 but by default the log4j2 part is not enabled (reference) – starting from Release 6.0

Since eptos is not using JNDI lookups,  Paradine recommends disabling JNDI lookup using the startup parameters  -Dlog4j2.formatMsgNoLookups=true

The deactivation of the JNDI lookup is a precautionary measure to avoid that 3rd party libraries entail Log4j2.

Software Fixes

  • eptos 6.0.1 updated to the unaffected release 2.15.0 of Log4j2
  • eptos 6.1.1 updated to the unaffected release 2.15.0 of Log4j2
  • eptos email collector 6.1.1 (latest, 2021) updated to the unaffected release 2.15.0 of Log4j2
  • eptos Search Engine 2.1.1, will be updated to latest 2.15.0 of Log4j2

What you need to do

  • Paradine recommends that you upgrade to the latest Long Term Support release eptos 6.1.1.
  • Paradine recommends that you upgrade to the latest Long Term Support release Search Engine 2.1.1.
  • Please consult your Solution Manager

Mitigation

For mitigation you can

  • change startup parameters of programs impacted releases by adding  -Dlog4j2.formatMsgNoLookups=true where the JVM arguments are defined (e.g. in eptos-config map or under deployment for the pod itself)
  • restart the system
  • for microservices the sustaining way of fixing is installing new releases of API containers

Support

  • If you have questions or concerns regarding this advisory, check support@paradine,at and add CVE-2021-44228 or CVE-2021-45046 to your issue description.

CVE-2021-45105 Multiple eptos™ Releases – Security Advisory – Apache Log4j2 <=2.17 did not protect from uncontrolled recursion from self-referential lookups.

Overview

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Summary

CVE-2021-45105  – Apache Log4j2 <=2.17 did not protect from uncontrolled recursion from self-referential lookups.

Log4j 1.x is not impacted by this vulnerability.

Update Bulletin by 22.12.2021 15:00

Advisory Release Date 21th December 2021
Base CVSS Score 7,5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Products
  • all eptos modules
  • eptos SearchEngine
Affected Releases eptos modules –  6.1

eptos Search Engine 2.0 – 2.1 only if logging of api’s has been turned on (default off).

Fixed Releases
  • eptos 6.1.1
  • Search Engine 2.1.1
CVE ID CVE-2021-45105
Issue ID

BASE-1396 – Vulnerability Log4Shell: CVE-2021-45105 RESOLVED

Further information https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

Summary of Vulnerability

eptos core is using impacted Log4j2 2.16 starting from Release 6.1 and after fix for CVE-2021-44228 Multiple eptos Releases Security Advisory – Apache Log4j2 not protected against attacker controlled LDAP and other JNDI related endpoints

eptos APIs are using spring-boot that has a dependency to log4j-api but by default the log4j2 part is not enabled (reference) – starting from Release 6.0, thus there is no immediate impact.

Software Fixes

  • eptos 6.0.1 updated to the unaffected release 2.17.0 of Log4j2
  • eptos 6.1.1 updated to the unaffected release 2.17.0 of Log4j2
  • eptos email collector 6.1.1 (latest, 2021) updated to the unaffected release 2.17.0 of Log4j2
  • eptos Search Engine 2.1.1, will be updated to latest 2.17.0 of Log4j2

What you need to do

  • Paradine recommends that you upgrade to the latest Long Term Support release eptos 6.1.1.
  • Paradine recommends that you upgrade to the latest Long Term Support release Search Engine 2.1.1.
  • Please consult your Solution Manager

Mitigation

For mitigation you can

  • check API’s are not having logging turned on

Support

  • If you have questions or concerns regarding this advisory, check support@paradine,at and CVE-2021-45105  to your issue description.

CVE-2022-22965

Overview

Summary

CVE-2022-22965

Advisory Release Date
Products
Affected Releases
Fixed Releases
CVE ID
Issue ID

BASE-1456 – API vulnerability Spring4shell CVE-2022-22965 RESOLVED

Further information

Summary of Vulnerability

Blank

Software Fixes

Blank

What you need to do

Blank

Mitigation

Blank

Support

  • If you have questions or concerns regarding this advisory, check support@paradine,at and add CVE to your issue description.

CVE-2022-0778

Overview

Summary

CVE-2022-0778

Advisory Release Date
Products
Affected Releases
Fixed Releases
CVE ID
Issue ID

BASE-1455 – EC Vulnerability Bug libretls-3.3.4-r2 – High RESOLVED

Further information

Summary of Vulnerability

Blank

Software Fixes

Blank

What you need to do

Blank

Mitigation

Blank

Support

  • If you have questions or concerns regarding this advisory, check support@paradine,at and add CVE to your issue description.

Stay on the Lookout for Upcoming Webinars!

Don’t miss out on our next ECLASS and/or eCatCreator™ webinar!

We have published our webinar dates for Q3 and Q4 2022.

Go deep into the world of Material master data management, standardization, catalog data management, maintenance, spare parts management and many more topics!

What you can expect:

  • Interactive and professional presentations
  • Customer success stories and
  • Best practices examples
  • Q&A

Paradine is ELCASS Preferred Partner Platinum. Benefit from the expertise of our ECLASS experts!

ECLASS PLatinum logo.png

All dates can be found here

More infos about the content of our webinars as well as registration links can be found here (ECLASS) and here (eCatCreator). 

Paradine @ BME eLösungstage 2022

After 2 years of corona-break, Paradine offers the possibility of personal exchange at the largest trade fair for eSOLUTIONS and ePROCUREMENT in Düsseldorf!

Visit us from May 31 – June 1, 2022 at Areal Böhler in Düsseldorf and talk to us about topics such as High Quality Master Data, Digitalization, Smart Manufacturing and Industry 4.0 Implementations.

Fore more details visit www.bme.de/eloesungstage.

You can also book a time slot for a personal appointment at the trade fair. To do so, contact info@paradine.at 

We look forward to meeting you at the eLösungstage in Düsseldorf!

Paradine Office Kiew – temporarily closed

Dear Customer / Dear Visitor,

Currently the situation in Kiew is unsafe and unpredictable. Therefore, Paradine Office Kiew is closed, and we are supporting all colleagues that live and work for our Kyiv organization to organize a safe environment for themselves and their families.

Together with our local Ukraine management team we are continuously monitoring the situation carefully. Nevertheless, in the current situation we are not able to predict how the situation will affect current projects. Paradine puts all means and efforts in place to mitigate the impacts caused by this war.

If you have any questions, please do not hesitate to get in touch with our support team or contact us at info@paradine.at.

For everyone’s sake, let´s hope for a rapid de-escalation to the violence and that brighter times come soon.

Best regards,

Paradine GmbH, Vienna

eCatCreator™ Webinars >> new dates!

eCatCreator™ supports reliable electronic product data exchange. It enables users to easy and fast create ECLASS based electronic product descriptions. eCatCreator™ also fully supports the ECLASS engineering workflow. Please find the dates here.

We have moved!

We would like to inform you that we have moved. You can find us in the same building, staircase 1, 4th floor.
Our address remains unchanged: Technologiestraße 5, 1120 Vienna, Austria