On Friday, December 10, 2021, a critical zero-day security vulnerability became known in a component (Log4J) that is also used in Intrexx. Since then, our technicians have been investigating the disclosed gaps and analyzing their impact on the security of Intrexx. Since the first report, other related attack scenarios have become known, which we also include in our analysis. We at United Planet always have our ear to the ground on the relevant news channels in order to be able to react as quickly as possible.
The basis of the following analysis are the three vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832, as well as the state of knowledge as of 01/04/2022 - 09:00 AM.
Log4J version 1.x is used in Intrexx versions 18.03 and older.
For these versions, there is no danger at all, unless you have manually adjusted the logging configuration and thereby activated the described lookup mechanism yourself. The delivery state of Intrexx is not vulnerable via the security vulnerabilities that have become known so far.
In the Intrexx versions 19.03 and newer, the Log4J 2.x is used.
The originally described attack in CVE-2021-44228 is executable here with knowledge about the entries in the classpath. For this reason, we have provided appropriate online updates for these versions on 12/13/2021, which deliver Log4J version 2.15.0.
Due to the disclosure of CVE-2021-45046, the Apache Foundation has released another version 2.16.0 of Log4J. This vulnerability is not exploitable with Intrexx, as long as the corresponding options have not been added manually in the configuration. Nevertheless, we have decided to deliver another online update here on 12/20/2021, since many companies use automatic scanners to detect malicious libraries. This would also mark Intrexx as potentially insecure.
The same applies to the CVE-2021-45105, Intrexx is also not affected by this, nevertheless we have delivered an online update with the new Log4J version 2.17.0 for our customers on 20.12.2021 to counteract any uncertainty.
The security vulnerability CVE-2021-44832 is not relevant for the operation of Log4J in Intrexx, as exploitation is only possible if access to the configuration files of Log4J is available. An update to version 2.17.1 is not necessary. This will nevertheless be delivered in one of the upcoming online updates.
The basis of the following analysis are the three vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832, as well as the state of knowledge as of 01/04/2022 - 09:00 AM.
Log4J version 1.x is used in Intrexx versions 18.03 and older.
For these versions, there is no danger at all, unless you have manually adjusted the logging configuration and thereby activated the described lookup mechanism yourself. The delivery state of Intrexx is not vulnerable via the security vulnerabilities that have become known so far.
In the Intrexx versions 19.03 and newer, the Log4J 2.x is used.
The originally described attack in CVE-2021-44228 is executable here with knowledge about the entries in the classpath. For this reason, we have provided appropriate online updates for these versions on 12/13/2021, which deliver Log4J version 2.15.0.
Due to the disclosure of CVE-2021-45046, the Apache Foundation has released another version 2.16.0 of Log4J. This vulnerability is not exploitable with Intrexx, as long as the corresponding options have not been added manually in the configuration. Nevertheless, we have decided to deliver another online update here on 12/20/2021, since many companies use automatic scanners to detect malicious libraries. This would also mark Intrexx as potentially insecure.
The same applies to the CVE-2021-45105, Intrexx is also not affected by this, nevertheless we have delivered an online update with the new Log4J version 2.17.0 for our customers on 20.12.2021 to counteract any uncertainty.
The security vulnerability CVE-2021-44832 is not relevant for the operation of Log4J in Intrexx, as exploitation is only possible if access to the configuration files of Log4J is available. An update to version 2.17.1 is not necessary. This will nevertheless be delivered in one of the upcoming online updates.
What to do now?
The online updates for the Intrexx versions 19.03, the Steady Track, as well as the Silent Track, which we published on 12/20/2021, close this gap without any further changes being necessary. As long as you have applied the current online updates and have not manually added any options in the configuration, there is no risk to your system.
How can you verify that you are using a secure system?
For Intrexx 19.03, the current online update 2508 applies.
For Intrexx 21.03, the current online update 0907 applies
For Intrexx Steady Track, the current setup 10.3.0.20211220.225863 applies.
Info:
The version number of the Steady Track can be found in the installation directory, which must contain the 10.3.0.20211220.225863.version, among others.
If the Portal Manager has the same version as the server, you can find the information there as well: "Help" tab, "About Intrexx Portal Manager" menu item.
If you are using the Portable Manager of the Intrexx version Silent Track (21.03), you must obtain the latest version ("latest" or at least OU-0907) of the Portable Manager and replace the existing Portable Manager. If you are using the Portable Manager of the Intrexx version Steady Track, this is not necessary, provided the current online update has already been installed.
What should be done if the online updates cannot be installed promptly?
In order to close the gap manually without an online update, an additional Java Additional Parameter must be inserted in the said system files. Please make sure that you edit these files only with a UTF8 capable editor (Notepad++). After the adjustments, the affected services (Portal, Supervisor and Solr) must be restarted.
Please proceed as follows:
1) <portal>/internal/cfg/portal.wcf.
Extend the portal.wcf with the following Java Additional Parameter, please note to adjust the consecutive numbering accordingly, see also picture portal.wcf.png
wrapper.java.additional.X=-Dlog4j2.formatMsgNoLookups=true
2) <installation>/cfg/supervisor.wcf
Extend the supervisor.wcf with the following Java Additional Parameter, please note to adjust the consecutive numbering accordingly, see also image supervisor.wcf.png
wrapper.java.additional.X=-Dlog4j2.formatMsgNoLookups=true
3) <installation>/cfg/solr.wcf
Extend the solr.wcf with the following Java Additional Parameter, please note to adjust the consecutive numbering accordingly, see also image solr.wcf.png
wrapper.java.additional.X=-Dlog4j2.formatMsgNoLookups=true
4) Now restart the affected services (portal, supervisor and solr).
The online updates for the Intrexx versions 19.03, the Steady Track, as well as the Silent Track, which we published on 12/20/2021, close this gap without any further changes being necessary. As long as you have applied the current online updates and have not manually added any options in the configuration, there is no risk to your system.
How can you verify that you are using a secure system?
For Intrexx 19.03, the current online update 2508 applies.
For Intrexx 21.03, the current online update 0907 applies
For Intrexx Steady Track, the current setup 10.3.0.20211220.225863 applies.
Info:
The version number of the Steady Track can be found in the installation directory, which must contain the 10.3.0.20211220.225863.version, among others.
If the Portal Manager has the same version as the server, you can find the information there as well: "Help" tab, "About Intrexx Portal Manager" menu item.
If you are using the Portable Manager of the Intrexx version Silent Track (21.03), you must obtain the latest version ("latest" or at least OU-0907) of the Portable Manager and replace the existing Portable Manager. If you are using the Portable Manager of the Intrexx version Steady Track, this is not necessary, provided the current online update has already been installed.
What should be done if the online updates cannot be installed promptly?
In order to close the gap manually without an online update, an additional Java Additional Parameter must be inserted in the said system files. Please make sure that you edit these files only with a UTF8 capable editor (Notepad++). After the adjustments, the affected services (Portal, Supervisor and Solr) must be restarted.
Please proceed as follows:
1) <portal>/internal/cfg/portal.wcf.
Extend the portal.wcf with the following Java Additional Parameter, please note to adjust the consecutive numbering accordingly, see also picture portal.wcf.png
wrapper.java.additional.X=-Dlog4j2.formatMsgNoLookups=true
2) <installation>/cfg/supervisor.wcf
Extend the supervisor.wcf with the following Java Additional Parameter, please note to adjust the consecutive numbering accordingly, see also image supervisor.wcf.png
wrapper.java.additional.X=-Dlog4j2.formatMsgNoLookups=true
3) <installation>/cfg/solr.wcf
Extend the solr.wcf with the following Java Additional Parameter, please note to adjust the consecutive numbering accordingly, see also image solr.wcf.png
wrapper.java.additional.X=-Dlog4j2.formatMsgNoLookups=true
4) Now restart the affected services (portal, supervisor and solr).
Intrexx Version:
- SteadyTrack
- SilentTrack
- 19.03
Details:
Kategorie:Security
Betriebssystem:unspecific
Datenbank:unspecific
Stand von:03-07-2023