AN

Hi all,

You may be already aware of the Log4J bug that is being exploited rabidly.

Are any ARIS software affected? If so, what are the advised steps?

 

Thanks

by Abdullah N Author
Posted on Sun, 12/12/2021 - 02:14

I can confirm ARIS 10 is vulnerable.

Huntress have released a tool which you can use to confirm this. I can't post the link as this forum keeps detecting any links I post as spam! You can find it on HuntressLabs Twitter.

0
by Abdullah N Author
Posted on Sun, 12/12/2021 - 02:37

Temporary mitigation methods:

You can set SYSTEM variable on Windows Server to mitigate this however a software update (wherever that is ready from Software AG) is strongly advised.

 

Variable name: LOG4J_FORMAT_MSG_NO_LOOKUP

Variable value: true

 

I suggest a system reboot. Although you might be able to get away with just restarting ARIS Agent service and all other ARIS components.

0
by Abdullah N Author
Posted on Sun, 12/12/2021 - 15:34

In reply to by jordanjt95

I can't confirm that since Software AG's advice appears to be locked behind their Empower portal which I don't have access to (I'm not a direct customer).

It is however a recommendation from Microsoft and I can confirm it works. I'm not allowed to post links it appears but you can find the article by searching "Microsoft’s Response to CVE-2021-44228 Apache Log4j 2" online.

0
by Jordan Tangy
Badge for 'Question Solver' achievement
Posted on Tue, 12/14/2021 - 15:12

In reply to by node15

I did what you said, and after this little change, I can't open models on Aris Architect..

Did it happen to you as well ?

0
by Eva Klein
Badge for 'Community Team' achievement
Posted on Sun, 12/12/2021 - 11:36

Please visit the following link for more information: Empower portal

0
by Jon Klingaman
Posted on Tue, 12/21/2021 - 18:58

In reply to by Eva Klein

The latest Service Relaease for 14b, 15bc, and 16c, the readme files state they are for updating log4j to 2.16. Our understanding is that 2.17 is the actual fix for the vulnerability. Is there a active development to release new Service Releases for ARIS that include the 2.17 log4j version as a fix? 

0
by Vassiliki Spentzou
Posted on Mon, 12/13/2021 - 10:24

Dear Eva 

The link for ARIS Connect is not functional Can you pls suggest where to find the recommendations for ARIS Connect pls ?

 

MAny thanks

0
by Eva Klein
Badge for 'Community Team' achievement
Posted on Mon, 12/13/2021 - 11:06

Thanks for the hint and sorry for the inconveniences. The link should work now. Could you please try again.

0
by Louise McDonagh
Posted on Tue, 12/14/2021 - 10:49

Is Aris Express affected by the Apache virus??

0
by Frank Weyand
Posted on Tue, 12/14/2021 - 11:32

In reply to by louisemcdonagh01

Well, it is not a Virus, but to answer your question: no. The feature, that made the sotware vulnerable, comes an the version 2 of the log4j library. Express uses the first version, that does not have the vulnerable features.

Bye,

Frank

0
by Tobias Roth
Posted on Tue, 02/08/2022 - 12:57

In reply to by Frank Weyand

Dear Frank,

we used also ARIS Express in our company. We deleted ARIS Express from all our computers, because our research showed us, that it uses "log4j__V2.3.jar". 

Log4j is vulnerable from 2.0-beta9 til incl. 2.14.1.

So please tell me why it should not be vulnerable. 

Thanks and best regards

Tobias

0
by Frank Weyand
Posted on Tue, 02/08/2022 - 13:15

In reply to by TobiR

Hi Tobias,

> So please tell me why it should not be vulnerable. 

uh... V2.3 is not the version number of the log4j version... we use an internal webstart mechanism to name the files... the version 2.3 is the express version internally.

The log4j version is still an old 1.x version, not providing the vulnerabilities, because this is a much simpler version and less powerful. You can look inside the jar file and see in the manifest which version is actually is.

Bye,

Frank

0
by Harm Verschuren
Posted on Thu, 12/23/2021 - 12:32

Just dubble checking, is ARIS Client (the software running on your local PC) affected? Looking at Empower, to me it seems that only server software is affected. It this true?

Kidn regards,

0
by Runé Becker
Badge for 'Mastermind' achievement
Posted on Mon, 12/27/2021 - 14:39

In reply to by harmv

Yes, a local installaiton of ARIS Architect (aka LOCAL) isn't affected of Log4J. Although there is no attack vector exposed the vulnerable classes are included but can't be subject for an attack as they aren't exposed.

Cheers
Rune

0
by John Bertolet
Posted on Tue, 01/18/2022 - 15:25

My understanding: the full fix for this is to update ARIS to version 10 SR16, or better yet SR17 which is expected later this month.

0
by Veronika Ellermann
Badge for 'Fan' achievement
Posted on Wed, 01/19/2022 - 09:09

In reply to by rbe

Hi Rune,

Thanks for that info :)
Do you also have a feature overview? 
Best,

Veronika

0
by Runé Becker
Badge for 'Mastermind' achievement
Posted on Wed, 01/19/2022 - 17:58

In reply to by Vee_ARIS

SR17 like most odd service releases don't come with new features, but sum up all patches and bugfixes since the last feature-rich service release (=even number such as SR16).

Cheers
Rune

0

Featured achievement

Question Solver
Share your expertise and have your answer accepted as best reply.
Recent Unlocks
  • CR
  • BH
  • Profile picture for user Ivan.Ivanov.softwareag.com
  • Profile picture for user mscheid
  • MS
  • PacMan

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock