Hi all,
You may be already aware of the Log4J bug that is being exploited rabidly.
Are any ARIS software affected? If so, what are the advised steps?
Thanks
Hi all,
You may be already aware of the Log4J bug that is being exploited rabidly.
Are any ARIS software affected? If so, what are the advised steps?
Thanks
Temporary mitigation methods:
You can set SYSTEM variable on Windows Server to mitigate this however a software update (wherever that is ready from Software AG) is strongly advised.
Variable name: LOG4J_FORMAT_MSG_NO_LOOKUP
Variable value: true
I suggest a system reboot. Although you might be able to get away with just restarting ARIS Agent service and all other ARIS components.
I can confirm ARIS 10 is vulnerable.
Huntress have released a tool which you can use to confirm this. I can't post the link as this forum keeps detecting any links I post as spam! You can find it on HuntressLabs Twitter.
Temporary mitigation methods:
You can set SYSTEM variable on Windows Server to mitigate this however a software update (wherever that is ready from Software AG) is strongly advised.
Variable name: LOG4J_FORMAT_MSG_NO_LOOKUP
Variable value: true
I suggest a system reboot. Although you might be able to get away with just restarting ARIS Agent service and all other ARIS components.
Hi,
First, thank you for your update.
Is this mitigation method approved by Software AG ?
Thanks
I can't confirm that since Software AG's advice appears to be locked behind their Empower portal which I don't have access to (I'm not a direct customer).
It is however a recommendation from Microsoft and I can confirm it works. I'm not allowed to post links it appears but you can find the article by searching "Microsoft’s Response to CVE-2021-44228 Apache Log4j 2" online.
Thanks for the hint and sorry for the inconveniences. The link should work now. Could you please try again.
Well, it is not a Virus, but to answer your question: no. The feature, that made the sotware vulnerable, comes an the version 2 of the log4j library. Express uses the first version, that does not have the vulnerable features.
Bye,
Frank
I did what you said, and after this little change, I can't open models on Aris Architect..
Did it happen to you as well ?
The latest Service Relaease for 14b, 15bc, and 16c, the readme files state they are for updating log4j to 2.16. Our understanding is that 2.17 is the actual fix for the vulnerability. Is there a active development to release new Service Releases for ARIS that include the 2.17 log4j version as a fix?
Just dubble checking, is ARIS Client (the software running on your local PC) affected? Looking at Empower, to me it seems that only server software is affected. It this true?
Kidn regards,
Yes, a local installaiton of ARIS Architect (aka LOCAL) isn't affected of Log4J. Although there is no attack vector exposed the vulnerable classes are included but can't be subject for an attack as they aren't exposed.
Cheers
Rune
My understanding: the full fix for this is to update ARIS to version 10 SR16, or better yet SR17 which is expected later this month.
ARIS 10.0 SR17 is already available since end of last week!
Download SR17 from Software AG - Download Center
Cheers
Rune
Hi Rune,
Thanks for that info :)
Do you also have a feature overview?
Best,
Veronika
SR17 like most odd service releases don't come with new features, but sum up all patches and bugfixes since the last feature-rich service release (=even number such as SR16).
Cheers
Rune
Dear Frank,
we used also ARIS Express in our company. We deleted ARIS Express from all our computers, because our research showed us, that it uses "log4j__V2.3.jar".
Log4j is vulnerable from 2.0-beta9 til incl. 2.14.1.
So please tell me why it should not be vulnerable.
Thanks and best regards
Tobias
Hi Tobias,
> So please tell me why it should not be vulnerable.
uh... V2.3 is not the version number of the log4j version... we use an internal webstart mechanism to name the files... the version 2.3 is the express version internally.
The log4j version is still an old 1.x version, not providing the vulnerabilities, because this is a much simpler version and less powerful. You can look inside the jar file and see in the manifest which version is actually is.
Bye,
Frank