Hi all, I am running Aris 9.8 Design Server and publisher server and I have to fix the issue with the log4j vulnerability.
On the empower website I only see updates for version 10.x. I am not able to upgrade to version 10.
What is the best way to mitigate this vulnerability? How to get an update?
Thanks and regards
Hello Marcel,
in addition to the support KB article on Empower
Log4j Zero-Day security vulnerability for ARIS Clients/Connect/Design-Server/Risk and Compliance Manager/Publisher On-Premise
I found Hilko Bengen's local-log4j-vuln-scanner very helpful to identify the ZIP and JAR files for mitigation.
It works recursively on JAR, WAR and ZIP files scanning for vulnerable java classes, mainly JndiLookup.class (log4j 2.x) and JMSAppender.class (log4j 1.x), under any path within archive files of any name. So it did find JndiLookup.class in places that Aris support forgot to mention, f.ex. in a log4j-core-2.11.0.jar packed in y-aris-server-complete-10.0.7.1-exec.jar.
I did not use the corresponding patch tool, because of its logic (creates a *-patched.jar from a vulnerable *.jar). Instead I followed the procedure described by Aris support as well as by the Apache project, by copying the vulnerable files into quarantine before deleting all JndiLookup.class (log4j 2.x) and JMSAppender.class (log4j 1.x) from the resp. archives.
As Aris support pointed out, their mitigation procedure is for Aris 10.x, so you should consider all precautions for your 9.8 servers to roll-back safely.
Regards, Martin
Hello Marcel,
in addition to the support KB article on Empower
Log4j Zero-Day security vulnerability for ARIS Clients/Connect/Design-Server/Risk and Compliance Manager/Publisher On-Premise
I found Hilko Bengen's local-log4j-vuln-scanner very helpful to identify the ZIP and JAR files for mitigation.
It works recursively on JAR, WAR and ZIP files scanning for vulnerable java classes, mainly JndiLookup.class (log4j 2.x) and JMSAppender.class (log4j 1.x), under any path within archive files of any name. So it did find JndiLookup.class in places that Aris support forgot to mention, f.ex. in a log4j-core-2.11.0.jar packed in y-aris-server-complete-10.0.7.1-exec.jar.
I did not use the corresponding patch tool, because of its logic (creates a *-patched.jar from a vulnerable *.jar). Instead I followed the procedure described by Aris support as well as by the Apache project, by copying the vulnerable files into quarantine before deleting all JndiLookup.class (log4j 2.x) and JMSAppender.class (log4j 1.x) from the resp. archives.
As Aris support pointed out, their mitigation procedure is for Aris 10.x, so you should consider all precautions for your 9.8 servers to roll-back safely.
Regards, Martin
Runé Becker on
Dear Marcel,
Please log a support ticket via Incident Management Portal - Service project (softwareag.com).
The ARIS Community can't help you much here.
Cheers
Runè