inubit
News ticker

According to the current state of analysis, inubit is not affected by CVE-2020-9488 and CVE-2019-17571 in the delivery state. 

According to current analysis, inubit is not affected by the vulnerability mentioned in CVE-2021-44228.

>> Updated JVM-Parameter 

If you use individual plug-ins in inubit (self-developed extensions), please check these independently for the use of Log4J V.2 and take appropriate measures if necessary. A possible interim solution until the update could be the implementation of the BSI recommendation:

Set the following JVM parameter in the parameter script used (setenv.sh or setenv.bat):

“JVM_PARAMS=%JVM_PARAMS% -Dlog4j2.formatMsgNoLookups=true”

Note: If you are using Liferay, please check on your own whether you are using a version that requires action. You can find initial information here: https://liferay.dev/blogs/-/blogs/log4j2-zero-day-vulnerability

inubit does not use JMS Appender in the delivery state with Log4J v1.x, so that the gap described in CVE-2021-4104 is not relevant.

If you have made manual changes in this regard, please check whether these should be reset.

According to current analysis, inubit is not affected by the vulnerability mentioned in CVE-2021-44228. 

If you use individual plug-ins in inubit (self-developed extensions), please check these independently for the use of Log4J V.2 and take appropriate measures if necessary. A possible interim solution until the update could be the implementation of the BSI recommendation:

Set the following JVM parameter in the parameter script used (setenv.sh or setenv.bat):

log4j2.formatMsgNoLookups=true 

Note: If you are using Liferay, please check on your own whether you are using a version that requires action. You can find initial information here: https://liferay.dev/blogs/-/blogs/log4j2-zero-day-vulnerability

Business process Center
News ticker

ACTUALISED BPC RELEASES WITH LOG4J 2.17.1 FOR THE KARAF AND ELECTRIC SEARCH COMPONENTS ARE AVAILABLE

The releases BPC 3.1.6, BPC 3.2.6, BPC 3.3.7, BPC 3.4.2 have been revised with regard to Log4J 2.17.1 and are ready for you to update with the correspondingly updated components Karaf and Elasticsearch.

If you want to patch Karaf and Elasticsearch manually, please send us a request for instructions and sources via a support ticket.

New Instructions for Action in the Subject Area: Test for Success | PID Determination under Windows

To test whether the change is successful, you can read the corresponding parameters from the Java process. To do this, the process ID (PID) of Karaf and Elasticsearch must be determined (e.g. via ps). The following command can be used to read out the parameters, replacing PID with the process ID determined in each case:

jinfo PID | grep log4j2.formatMsgNoLookups

Under Windows, you can determine the PID by executing in PowerShell

gcim win32_Process -Filter “Name=’java.exe’ OR Name LIKE ‘elasticsearch-service%'” | select Name,ProcessId,Path,CreationDate,Commandline

If you would like to use the Task Manager instead, show the “Details” tab by clicking on “More Details” if you have not already done so, switch to the “Details” tab and, if the “Command Line” column is not yet visible, click on a column title on the right and open “Select Columns” in the context menu, where you check “Command Line” and save.

The PID determination is identical for both ways. From the entries with the name java.exe, find the one that contains the term “karaf” in the Commandline column and – if you have not started Elasticsearch as a service – the same with the term “elasticsearch”. If, on the other hand, you have started Elasticsearch as a service, find the entry named elasticsearch-service-x64.exe.

The output must contain at least the following line:

log4j2.formatMsgNoLookups=true

Revised Elasticsearch action guide for Linux and Windows for BPC versions > 3.0 and < 3.4.1 

Elasticsearch

Linux and Windows [when started as an application, not as a service]:

In the ELASTICSEARCH/config/jvm.options file, add the following line:

-Dlog4j2.formatMsgNoLookups=true

Elasticsearch must then be restarted.

Windows [when started as a service]:

If Elasticsearch was set up as a service under Windows, the adjustment must be made via the Service Manager. Start the Service Manager using the Windows CMD (run as administrator) with the following command:

ELASTICSEARCH/bin/elasticsearch-service.bat manager.

Under the “Java” tab, add the following line to the “Java Options”:

-Dlog4j2.formatMsgNoLookups=true

Elasticsearch must then be restarted. If you have not set up Elasticsearch as a service under Windows, but start it as a normal application, please use the procedure described in the section “Linux and Windows when started as an application”.

New Elasticsearch action guide for Linux and Windows for BPC versions > 3.0 and < 3.4.1 

Elasticsearch

Linux:

In the ELASTICSEARCH/config/jvm.options file, add the following line:

-Dlog4j2.formatMsgNoLookups=true

Elasticsearch must then be restarted.

Windows:

Start Service Manager using the Windows CMD (run as administrator) via the following command:

ELASTICSEARCH/bin/elasticsearch-service.bat manager.

Under the “Java” tab, add the following line to the “Java Options”:

-Dlog4j2.formatMsgNoLookups=true

Elasticsearch must then be restarted.

The BPC is affected by the aforementioned CVE in version > 3.x and < 3.4.1, from version 3.4.1 onwards corresponding adjustments have been made.

Therefore, please follow the following instruction for versions > 3.0 and < 3.4.1.

Karaf

Add the following line to the file KARAF/etc/system.properties:

log4j2.formatMsgNoLookups = true.

Karaf must then be restarted.

Elasticsearch

In the file ELASTICSEARCH/config/jvm.options the following line has to be added:

-Dlog4j2.formatMsgNoLookups=true

Elasticsearch must then be restarted.

Alternative via bpc.env

If the bpc.env file is used, the system parameters can also be set via this file. To do this, the following lines must be extended:

# Elasticsearch (the following entry already exists and only needs to be extended).

export ES_JAVA_OPTS=”$ES_JAVA_OPTS -Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true”

# Karaf

export KARAF_SYSTEM_OPTS=”$KARAF_SYSTEM_OPTS -Dlog4j2.formatMsgNoLookups=true”

Elasticsearch and Karaf must then be restarted.

Test for success

To test whether the change is successful, you can read the corresponding parameters from the Java process. To do this, the process ID (PID) of Karaf and Elasticsearch must be determined (e.g. via ps). The following command can be used to read out the parameters, replacing PID with the process ID determined in each case:

jinfo PID | grep log4j2.formatMsgNoLookups

The output must contain at least the following line.

log4j2.formatMsgNoLookups=true

Hint: The programme jinfo is part of Java and is located there in the directory bin.

VIMON
News ticker

ViMon in the delivery state is not affected by CVE-2020-9488 and CVE-2019-17571.  

If you have made manual changes in this regard, please check whether these should be reset.

ViMon does not use JMS Appender in the delivery state with Log4J v1.x, so that CVE-2021-4104 is not relevant.

If you have made manual changes in this regard, please check whether these should be reset.

The VIMON core functionality delivered by Virtimo as well as the corresponding exporters are not affected by the problem.

In order to exclude a possible vulnerability of individually installed extensions/exporters, a correspondingly adapted version is available with version 1.6, which you can obtain on request.

SAAS/Cloud
News ticker

Current findings from our intrusion detection analysis

We have been tracking corresponding attack attempts since shortly after the information was published:

Continuous scans of entire IP address spaces are taking place and the number of distinct sources is increasing daily. In our cloud services, these are completely blocked, so our cloud customers are not currently exposed to any major risk.

Nevertheless, a high level of attention and continuous monitoring of the situation is necessary and regular adjustments of the measures are important.

For our SAAS/Cloud clients, we have already carried out the analyses described and, if necessary, taken appropriate measures for the Virtimo products.

In addition, we have of course checked other components used in operation and updated or made adjustments where necessary, for example:

• Operating systems
• Firewall
• Proxy/Reverse Proxy/Web Application Firewall
• Operation monitoring and alarm components
• Databases used and database drivers
• Mail server
• DNS server
• Tool chain for automated certificate updates
• AWS CLI

To check the security in operation, we have also used the procedures recommended by the BSI to detect attacks that have already taken place – the evaluation of the results is currently still being carried out, we will keep you informed.

With regard to the RDS and API Gateway components provided by Amazon AWS, analyses and updates are currently still being carried out by AWS, so there is no final status here yet; we will inform you accordingly here as well.

other INFORMATION
News ticker

Keycloak

Keycloak does not use JMS appenders when shipped with Log4J v1.x, so CVE-2021-4104 is not relevant. If you have made manual changes in this regard, please check whether these should be reset.

Comprehensive check of other Virtimo systems

Of course, we also subject all systems and tools used by Virtimo, such as ticket systems, wikis, project management, accounting and CRM systems, to a thorough check in parallel.

Keycloak

Keycloak is not affected by the aforementioned security vulnerability. You can find more information here: https://github.com/keycloak/keycloak/discussions/9078