You are viewing an old version of this page. Return to the latest version.
Difference between revisions of "Announcement/Log4Shell"
(Tag: Visual edit) |
(Tag: 2017 source edit) |
Contents
Event[edit | edit source]
Log4j vulnerability
Current vulnerability assessment in BlueSpice (overview)[edit | edit source]
-
BlueSpice free, pro, farm:
- Current on-premise installations are => not affected.
- In older Older on-premise installations, the => version of Elasticsearch could be affected.vulnerable
- The Docker version is => not affected.
- BlueSpice Cloud is => not affected.
This is true for instances that we have installed. Customers have to check their part of the installation (i.e., OS, additional packages, etc.)
Inspected components in BlueSpiceDetailed assessment[edit | edit source]
Current version[edit | edit source]
-
ElasticSearch Elasticsearch => ElasticSearch reports that they are not affected: not vulnerable
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476No code-red alert, but we keep an eye on it. => not vulnerable -
Java-Server
- Tomcat => explicit configuration of log4j is necessary. By default, log4j is not activated. We do not change this. => not vulnerable
- Jetty => explicit configuration of jetty is necessary. By default, log4j is not activated. We do not change this. => not vulnerable
-
Java Webservices
- xhtmlrenderer => a log4j plugin exists, but is not used by our service => not vulnerable
- VisualDiff => uses daisydiff + others. Does not use log4j => not vulnerable
- LaTeX2png => uses the jlatexmath library. Does not use log4j => not vulnerable
-
Draw.io reports that the appication is not affected:
https://twitter.com/drawio/status/1470061320066277382 => not vulnerable
Older versions of BlueSpice 3[edit | edit source]
-
Elasticsearch => not vulnerable
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476- Versions 6.8.9+ (released on 13th May 2020) => not vulnerable
-
Version 6.4.0 - 6.8.8: Vulnerable. A configuration change and server restart has to be applied. => vulnerableUpdate of Elasticsearch is recommended.
=> not vulnerable (updating the version during the next BlueSpice update is recommended)
=> vulnerable outside of BlueSpice -
Versions 6.3.x and below: Update of ElasticSearch Elasticsearch is required. Please contact our support. recommended.
=> not vulnerable (updating the version during the next BlueSpice update is recommended)
=> vulnerable outside of BlueSpice
Independently of the Elasticsearch version in use, BlueSpice is not vulnerable due to the setup of Elasticsearch:
- No direct access: BlueSpice uses Elasticsearch as an internal service. We set up Elasticsearch in such a way that there cannot be any direct access. The only way to access Elasticsearch if you are not working directly on the server is through BlueSpice, which means there is a very controlled set of access vectors. These are search queries and content which is to be indexed.
- No logging of data: We use log level WARN on Elasticsearch, which means no data can find its way to the logs. So there is no way an attacker can add custom information to the logs.
No pass-through of user data: All communication between BlueSpice and Elasticsearch is done user-agnostic. There is no way Elasticsearch can see which user triggers the communication. The user-agent is restricted to the BlueSpice system user.
This is true even if you are running on an older, vulnerable version of Elasticsearch. So we see no urgent action required. Nonetheless, it is recommended to update your Elasticsearch to a non-vulnerable version with the next update of BlueSpice.
If you have changed the Elasticsearch setup to a different log level or loosened the restrictions on Elasticsearch access, you have to check the setup.
BlueSpice 2[edit | edit source]
-
Solr uses log4j . Currently no mitigation available. Disable Solr search.=> vulnerable
More information on Mitigation is here:
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
Inspected components in the Docker image[edit | edit source]
The list of Docker files in the activated packages has been inspected. => not vulnerable
BlueSpice Cloud[edit | edit source]
- Swarmpit => not affected
- Drone => not affected
Related links[edit | edit source]
- https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html
- https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
- https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/
==Event==
Log4j vulnerability
*https://nvd.nist.gov/vuln/detail/CVE-2021-44228
*[https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf;jsessionid=95F784B3CFE46DE89B51FC06804C4AEA.internet081 BSI warning from 12/12/2021 (CVE-2021-44228)]
==Current vulnerability assessment in BlueSpice (overview)==
*BlueSpice free, pro, farm:
**[[#Detailed assessment|Current on-premise installations are]] => <span class="col-turquoise">'''not affected'''</span>.
**In older on-premise installations, the
**[[#Older versions of BlueSpice 3|Older on-premise installations]] => <span class="col-red">'''version of Elasticsearch could be affectedvulnerable'''</span>.
**The Docker version is
**[[#Inspected components in the Docker image|The Docker version]] => <span class="col-turquoise">'''not affected'''</span>.
*BlueSpice Cloud is
*[[#BlueSpice Cloud|BlueSpice Cloud]] => <span class="col-turquoise ve-pasteProtect">'''not affected'''</span>.
This is true for instances that we have installed. <span class="col-red">'''Customers have to check their part of the installation'''</span> (i.e., OS, additional packages, etc.)
==Inspected components in BlueSpice==
===Current version===
*'''ElasticSearch''' => ElasticSearch reports that they are not affected: Detailed assessment==
===Current version===
*'''Elasticsearch''' => <span class="col-turquoise">'''not vulnerable'''</span><br />https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
<br />No code-red alert, but we keep an eye on it. => <span class="col-turquoise">'''not vulnerable'''</span>
*'''Java-Server'''
**Tomcat => explicit configuration of log4j is necessary. By default, log4j is not activated. We do not change this. => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
**Jetty => explicit configuration of jetty is necessary. By default, log4j is not activated. We do not change this. => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
*'''Java Webservices'''
**xhtmlrenderer => a log4j plugin exists, but is not used by our service => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
**VisualDiff => uses daisydiff + others. Does not use log4j => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
**LaTeX2png => uses the jlatexmath library. Does not use log4j => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
*'''Draw.io''' reports that the appication is not affected: <br />https://twitter.com/drawio/status/1470061320066277382 => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
===Older versions of BlueSpice 3===
*'''Elasticsearch''' => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span><br />https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
**'''Versions 6.8.9+ ('''released on 13th May 2020) => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
**'''Version 6.4.0 - 6.8.8''': Vulnerable. A configuration change and server restart has to be applied. => '''<span class="col-red">vulnerableUpdate of Elasticsearch is recommended. <br /><span style="color: rgb(51, 51, 51)">=></span> <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''not vulnerable'''</span> <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''(updating the version during the next BlueSpice update is recommended)'''</span> <br /><span style="color: rgb(51, 51, 51)">=></span> '''<span class="col-red ve-pasteProtect" style="color: rgb(183, 58, 58)">vulnerable outside of BlueSpice</span>'''
**'''Versions 6.3.x and below''': Update of ElasticSearch Elasticsearch is required. Please contact our support. => '''<span class="col-red ve-pasteProtect">vulnerable</span>'''
recommended. <br /><span class="ve-pasteProtect" style="color: rgb(51, 51, 51)" data-ve-attributes="{"style":"color: rgb(51, 51, 51)"}">=></span> <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)" data-ve-attributes="{"style":"color: rgb(37, 149, 150)"}">'''not vulnerable'''</span> <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)" data-ve-attributes="{"style":"color: rgb(37, 149, 150)"}">'''(updating the version during the next BlueSpice update is recommended)'''</span> <br /><span class="ve-pasteProtect" style="color: rgb(51, 51, 51)" data-ve-attributes="{"style":"color: rgb(51, 51, 51)"}">=></span> '''<span class="col-red ve-pasteProtect" style="color: rgb(183, 58, 58)" data-ve-attributes="{"style":"color: rgb(183, 58, 58)"}">vulnerable outside of BlueSpice</span>'''
Independently of the Elasticsearch version in use, BlueSpice is not vulnerable due to the setup of Elasticsearch:
*'''No direct access:''' BlueSpice uses Elasticsearch as an internal service. We set up Elasticsearch in such a way that there cannot be any direct access. The only way to access Elasticsearch if you are not working directly on the server is through BlueSpice, which means there is a very controlled set of access vectors. These are search queries and content which is to be indexed.
*'''No logging of data:''' We use log level WARN on Elasticsearch, which means no data can find its way to the logs. So there is no way an attacker can add custom information to the logs.
No pass-through of user data: All communication between BlueSpice and Elasticsearch is done user-agnostic. There is no way Elasticsearch can see which user triggers the communication. The user-agent is restricted to the BlueSpice system user.
This is true even if you are running on an older, vulnerable version of Elasticsearch. So we see no urgent action required. Nonetheless, it is recommended to update your Elasticsearch to a non-vulnerable version with the next update of BlueSpice.
If you have changed the Elasticsearch setup to a different log level or loosened the restrictions on Elasticsearch access, you have to check the setup.
===BlueSpice 2===
*Solr uses log4j. Currently no mitigation available. Disable Solr search. => '''<span class="col-red ve-pasteProtect">vulnerable</span>''' <br />More information on Mitigation is here: <br />https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
===Inspected components in the Docker image===
The list of Docker files in the activated packages has been inspected. => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
*https://security-tracker.debian.org/tracker/CVE-2021-44228
===<span class="mw-headline" id="BlueSpice_Cloud" style="box-sizing: inherit;">BlueSpice Cloud</span>===
*Swarmpit => <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''not affected'''</span>
*Drone => <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''not affected'''</span>
<br />
==Related links==
*https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html
*https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
*https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/
<br />
[[de:Meldung/Log4Shell]]
[[en:{{FULLPAGENAME}}]]| (7 intermediate revisions by one other user not shown) | |||
| Line 9: | Line 9: | ||
*BlueSpice free, pro, farm: | *BlueSpice free, pro, farm: | ||
| − | **Current on-premise installations | + | **[[#Detailed assessment|Current on-premise installations]] => <span class="col-turquoise">'''not affected'''</span> |
| − | ** | + | **[[#Older versions of BlueSpice 3|Older on-premise installations]] => <span class="col-red">'''version of Elasticsearch could be vulnerable'''</span> |
| − | **The Docker version | + | **[[#Inspected components in the Docker image|The Docker version]] => <span class="col-turquoise">'''not affected'''</span> |
| − | *BlueSpice Cloud | + | *[[#BlueSpice Cloud|BlueSpice Cloud]] => <span class="col-turquoise ve-pasteProtect">'''not affected'''</span> |
This is true for instances that we have installed. <span class="col-red">'''Customers have to check their part of the installation'''</span> (i.e., OS, additional packages, etc.) | This is true for instances that we have installed. <span class="col-red">'''Customers have to check their part of the installation'''</span> (i.e., OS, additional packages, etc.) | ||
| − | == | + | ==Detailed assessment== |
===Current version=== | ===Current version=== | ||
| − | *''' | + | *'''Elasticsearch''' => <span class="col-turquoise">'''not vulnerable'''</span><br />https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 |
*'''Java-Server''' | *'''Java-Server''' | ||
**Tomcat => explicit configuration of log4j is necessary. By default, log4j is not activated. We do not change this. => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span> | **Tomcat => explicit configuration of log4j is necessary. By default, log4j is not activated. We do not change this. => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span> | ||
| Line 32: | Line 32: | ||
===Older versions of BlueSpice 3=== | ===Older versions of BlueSpice 3=== | ||
| − | *'''Elasticsearch'''<br />https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 | + | *'''Elasticsearch''' => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span><br />https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 |
**'''Versions 6.8.9+ ('''released on 13th May 2020) => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span> | **'''Versions 6.8.9+ ('''released on 13th May 2020) => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span> | ||
| − | **'''Version 6.4.0 - 6.8.8''': | + | **'''Version 6.4.0 - 6.8.8''': Update of Elasticsearch is recommended. <br /><span style="color: rgb(51, 51, 51)">=></span> <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''not vulnerable'''</span> <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''(updating the version during the next BlueSpice update is recommended)'''</span> <br /><span style="color: rgb(51, 51, 51)">=></span> '''<span class="col-red ve-pasteProtect" style="color: rgb(183, 58, 58)">vulnerable outside of BlueSpice</span>''' |
| − | **'''Versions 6.3.x and below''': Update of | + | **'''Versions 6.3.x and below''': Update of Elasticsearch is recommended. <br /><span class="ve-pasteProtect" style="color: rgb(51, 51, 51)" data-ve-attributes="{"style":"color: rgb(51, 51, 51)"}">=></span> <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)" data-ve-attributes="{"style":"color: rgb(37, 149, 150)"}">'''not vulnerable'''</span> <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)" data-ve-attributes="{"style":"color: rgb(37, 149, 150)"}">'''(updating the version during the next BlueSpice update is recommended)'''</span> <br /><span class="ve-pasteProtect" style="color: rgb(51, 51, 51)" data-ve-attributes="{"style":"color: rgb(51, 51, 51)"}">=></span> '''<span class="col-red ve-pasteProtect" style="color: rgb(183, 58, 58)" data-ve-attributes="{"style":"color: rgb(183, 58, 58)"}">vulnerable outside of BlueSpice</span>''' |
| + | |||
| + | Independently of the Elasticsearch version in use, BlueSpice is not vulnerable due to the setup of Elasticsearch: | ||
| + | |||
| + | *'''No direct access:''' BlueSpice uses Elasticsearch as an internal service. We set up Elasticsearch in such a way that there cannot be any direct access. The only way to access Elasticsearch if you are not working directly on the server is through BlueSpice, which means there is a very controlled set of access vectors. These are search queries and content which is to be indexed. | ||
| + | *'''No logging of data:''' We use log level WARN on Elasticsearch, which means no data can find its way to the logs. So there is no way an attacker can add custom information to the logs. | ||
| + | |||
| + | No pass-through of user data: All communication between BlueSpice and Elasticsearch is done user-agnostic. There is no way Elasticsearch can see which user triggers the communication. The user-agent is restricted to the BlueSpice system user. | ||
| + | |||
| + | This is true even if you are running on an older, vulnerable version of Elasticsearch. So we see no urgent action required. Nonetheless, it is recommended to update your Elasticsearch to a non-vulnerable version with the next update of BlueSpice. | ||
| + | |||
| + | If you have changed the Elasticsearch setup to a different log level or loosened the restrictions on Elasticsearch access, you have to check the setup. | ||
===BlueSpice 2=== | ===BlueSpice 2=== | ||
| − | *Solr uses log4j. | + | *Solr uses log4j => '''<span class="col-red ve-pasteProtect">vulnerable</span>''' <br />More information on Mitigation is here: <br />https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 |
===Inspected components in the Docker image=== | ===Inspected components in the Docker image=== | ||
| Line 45: | Line 56: | ||
*https://security-tracker.debian.org/tracker/CVE-2021-44228 | *https://security-tracker.debian.org/tracker/CVE-2021-44228 | ||
| + | |||
| + | ===<span class="mw-headline" id="BlueSpice_Cloud" style="box-sizing: inherit;">BlueSpice Cloud</span>=== | ||
| + | |||
| + | *Swarmpit => <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''not affected'''</span> | ||
| + | *Drone => <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''not affected'''</span> | ||
| + | |||
| + | <br /> | ||
| + | |||
| + | ==Related links== | ||
| + | |||
| + | *https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html | ||
| + | *https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 | ||
| + | *https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/ | ||
| + | |||
| + | |||
| + | <br /> | ||
| + | [[de:Meldung/Log4Shell]] | ||
| + | [[en:{{FULLPAGENAME}}]] | ||