Hi all,
You may be already aware of the Log4J bug that is being exploited rabidly.
Are any ARIS software affected? If so, what are the advised steps?
Thanks
Temporary mitigation methods:
You can set SYSTEM variable on Windows Server to mitigate this however a software update (wherever that is ready from Software AG) is strongly advised.
Variable name: LOG4J_FORMAT_MSG_NO_LOOKUP
Variable value: true
I suggest a system reboot. Although you might be able to get away with just restarting ARIS Agent service and all other ARIS components.
I can't confirm that since Software AG's advice appears to be locked behind their Empower portal which I don't have access to (I'm not a direct customer).
It is however a recommendation from Microsoft and I can confirm it works. I'm not allowed to post links it appears but you can find the article by searching "Microsoft’s Response to CVE-2021-44228 Apache Log4j 2" online.
Please visit the following link for more information: Empower portal
The latest Service Relaease for 14b, 15bc, and 16c, the readme files state they are for updating log4j to 2.16. Our understanding is that 2.17 is the actual fix for the vulnerability. Is there a active development to release new Service Releases for ARIS that include the 2.17 log4j version as a fix?
Dear Frank,
we used also ARIS Express in our company. We deleted ARIS Express from all our computers, because our research showed us, that it uses "log4j__V2.3.jar".
Log4j is vulnerable from 2.0-beta9 til incl. 2.14.1.
So please tell me why it should not be vulnerable.
Thanks and best regards
Tobias
Hi Tobias,
> So please tell me why it should not be vulnerable.
uh... V2.3 is not the version number of the log4j version... we use an internal webstart mechanism to name the files... the version 2.3 is the express version internally.
The log4j version is still an old 1.x version, not providing the vulnerabilities, because this is a much simpler version and less powerful. You can look inside the jar file and see in the manifest which version is actually is.
Bye,
Frank
ARIS 10.0 SR17 is already available since end of last week!
Download SR17 from Software AG - Download Center
Cheers
Rune