You are viewing an old version of this page. Return to the latest version.
Difference between revisions of "Announcement/Log4Shell"
(Tag: Visual edit) |
(Tag: 2017 source edit) |
Contents
- 1 Event
- 2 Current vulnerability assessment in BlueSpice (overview)
-
3 Detailed vunlerability assessment Inspected components in BlueSpice
- 3.1 Inspected components in BlueSpice Current version
- 3.2 Older versions of BlueSpice 3
- 3.3 BlueSpice 2
- 3.4 Inspected components in the Docker image
Event[edit | edit source]
Log4j vulnerability
Current vulnerability assessment in BlueSpice (overview)[edit | edit source]
-
BlueSpice free, pro, farm:
- Current on-premise installations are not affected.
- In older on-premise installations, the version of Elasticsearch could be affected.
- The Docker version is not affected.
- BlueSpice Cloud is not affected.
This is true for instances that we have installed. Customers have to check their part of the installation (i.e., OS, additional packages, etc.)
Detailed vunlerability assessmentInspected components in BlueSpice[edit | edit source]
Inspected components in BlueSpiceCurrent version[edit | edit source]
-
ElasticSearch => ElasticSearch reports that they are not affected:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
No code-red alert, but we keep an eye on it. => not vulnerable -
Java-Server
- Tomcat => explicit configuration of log4j is necessary. By default, log4j is not activated. We do not change this. => not vulnerable
- Jetty => explicit configuration of jetty is necessary. By default, log4j is not activated. We do not change this. => not vulnerable
-
Java Webservices
- xhtmlrenderer => a log4j plugin exists, but is not used by our service => not vulnerable
- VisualDiff => uses daisydiff + others. Does not use log4j => not vulnerable
- LaTeX2png => uses the jlatexmath library. Does not use log4j => not vulnerable
-
Draw.io reports that the appication is not affected:
https://twitter.com/drawio/status/1470061320066277382 => not vulnerable
Older versions of BlueSpice 3[edit | edit source]
-
Elasticsearch
(see https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 )- Versions 6.8.9+: ElasticSearch is not vulnerable in versions 6.8.9+ which was released on 13th May 2020.
- Version 6.4.0 - 6.8.8: Vulnerable. A configuration change and server restart has to be applied.
- Versions 6.3.x and below: Update of ElasticSearch is required. Please contact our support.
BlueSpice 2[edit | edit source]
- Solr uses log4j. Currently no mitigation available. Disable Solr search.
Inspected components in the Docker image[edit | edit source]
The list of Docker files in the activated packages has been inspected. => not vulnerable
==Event==
Log4j vulnerability
*https://nvd.nist.gov/vuln/detail/CVE-2021-44228
*[https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf;jsessionid=95F784B3CFE46DE89B51FC06804C4AEA.internet081 BSI warning from 12/12/2021 (CVE-2021-44228)]
==Current vulnerability assessment in BlueSpice (overview)==
*BlueSpice free, pro, farm:
**Current on-premise installations are <span class="col-turquoise">'''not affected'''</span>.
**In older on-premise installations, the <span class="col-red">'''version of Elasticsearch could be affected'''</span>.
**The Docker version is <span class="col-turquoise">'''not affected'''</span>.
*BlueSpice Cloud is <span class="col-turquoise ve-pasteProtect">'''not affected'''</span>.
This is true for instances that we have installed. <span class="col-red">'''Customers have to check their part of the installation'''</span> (i.e., OS, additional packages, etc.)
==Detailed vunlerability assessment==
===Inspected components in BlueSpiceInspected components in BlueSpice==
=== Current version ===
*'''ElasticSearch''' => ElasticSearch reports that they are not affected: <br />https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 <br />No code-red alert, but we keep an eye on it. => <span class="col-turquoise">'''not vulnerable'''</span>
*'''Java-Server'''
**Tomcat => explicit configuration of log4j is necessary. By default, log4j is not activated. We do not change this. => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
**Jetty => explicit configuration of jetty is necessary. By default, log4j is not activated. We do not change this. => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
*'''Java Webservices'''
**xhtmlrenderer => a log4j plugin exists, but is not used by our service => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
**VisualDiff => uses daisydiff + others. Does not use log4j => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
**LaTeX2png => uses the jlatexmath library. Does not use log4j => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
*'''Draw.io''' reports that the appication is not affected: <br />https://twitter.com/drawio/status/1470061320066277382 => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
=== Older versions of BlueSpice 3 ===
* '''Elasticsearch'''<br />(see https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 )
** '''Versions 6.8.9+''': ElasticSearch is not vulnerable in versions 6.8.9+ which was released on 13th May 2020.
** '''Version 6.4.0 - 6.8.8''': Vulnerable. A configuration change and server restart has to be applied.
** '''Versions 6.3.x and below''': Update of ElasticSearch is required. Please contact our support.
<br />
=== BlueSpice 2 ===
* Solr uses log4j. Currently no mitigation available. Disable Solr search.
===Inspected components in the Docker image===
The list of Docker files in the activated packages has been inspected. => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span>
*https://security-tracker.debian.org/tracker/CVE-2021-44228| Line 10: | Line 10: | ||
*BlueSpice free, pro, farm: | *BlueSpice free, pro, farm: | ||
**Current on-premise installations are <span class="col-turquoise">'''not affected'''</span>. | **Current on-premise installations are <span class="col-turquoise">'''not affected'''</span>. | ||
| − | **In older on-premise installations, the version of Elasticsearch could be affected. | + | **In older on-premise installations, the <span class="col-red">'''version of Elasticsearch could be affected'''</span>. |
**The Docker version is <span class="col-turquoise">'''not affected'''</span>. | **The Docker version is <span class="col-turquoise">'''not affected'''</span>. | ||
*BlueSpice Cloud is <span class="col-turquoise ve-pasteProtect">'''not affected'''</span>. | *BlueSpice Cloud is <span class="col-turquoise ve-pasteProtect">'''not affected'''</span>. | ||
| Line 16: | Line 16: | ||
This is true for instances that we have installed. <span class="col-red">'''Customers have to check their part of the installation'''</span> (i.e., OS, additional packages, etc.) | This is true for instances that we have installed. <span class="col-red">'''Customers have to check their part of the installation'''</span> (i.e., OS, additional packages, etc.) | ||
| − | == | + | ==Inspected components in BlueSpice== |
| − | === | + | |
| + | === Current version === | ||
*'''ElasticSearch''' => ElasticSearch reports that they are not affected: <br />https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 <br />No code-red alert, but we keep an eye on it. => <span class="col-turquoise">'''not vulnerable'''</span> | *'''ElasticSearch''' => ElasticSearch reports that they are not affected: <br />https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 <br />No code-red alert, but we keep an eye on it. => <span class="col-turquoise">'''not vulnerable'''</span> | ||
| Line 28: | Line 29: | ||
**LaTeX2png => uses the jlatexmath library. Does not use log4j => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span> | **LaTeX2png => uses the jlatexmath library. Does not use log4j => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span> | ||
*'''Draw.io''' reports that the appication is not affected: <br />https://twitter.com/drawio/status/1470061320066277382 => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span> | *'''Draw.io''' reports that the appication is not affected: <br />https://twitter.com/drawio/status/1470061320066277382 => <span class="col-turquoise ve-pasteProtect">'''not vulnerable'''</span> | ||
| + | |||
| + | === Older versions of BlueSpice 3 === | ||
| + | |||
| + | * '''Elasticsearch'''<br />(see https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 ) | ||
| + | ** '''Versions 6.8.9+''': ElasticSearch is not vulnerable in versions 6.8.9+ which was released on 13th May 2020. | ||
| + | ** '''Version 6.4.0 - 6.8.8''': Vulnerable. A configuration change and server restart has to be applied. | ||
| + | ** '''Versions 6.3.x and below''': Update of ElasticSearch is required. Please contact our support. | ||
| + | |||
| + | <br /> | ||
| + | |||
| + | === BlueSpice 2 === | ||
| + | |||
| + | * Solr uses log4j. Currently no mitigation available. Disable Solr search. | ||
===Inspected components in the Docker image=== | ===Inspected components in the Docker image=== | ||