Apache Log4j - are we affected? | ARIS BPM Community

Posted by Abdullah N

Posted on Sat, 12/11/2021 - 00:21 in Professional ARIS

Hi all,

You may be already aware of the Log4J bug that is being exploited rabidly.

Are any ARIS software affected? If so, what are the advised steps?

Thanks

1.3k

by Abdullah N Author

Posted on Sun, 12/12/2021 - 02:14

I can confirm ARIS 10 is vulnerable.

Huntress have released a tool which you can use to confirm this. I can't post the link as this forum keeps detecting any links I post as spam! You can find it on HuntressLabs Twitter.

by Abdullah N Author

Posted on Sun, 12/12/2021 - 02:37

Temporary mitigation methods:

You can set SYSTEM variable on Windows Server to mitigate this however a software update (wherever that is ready from Software AG) is strongly advised.

Variable name: LOG4J_FORMAT_MSG_NO_LOOKUP

Variable value: true

I suggest a system reboot. Although you might be able to get away with just restarting ARIS Agent service and all other ARIS components.

by Jordan Tangy

Posted on Sun, 12/12/2021 - 10:34

Hi,

First, thank you for your update.

Is this mitigation method approved by Software AG ?

Thanks

by Abdullah N Author

Posted on Sun, 12/12/2021 - 15:34

I can't confirm that since Software AG's advice appears to be locked behind their Empower portal which I don't have access to (I'm not a direct customer).

It is however a recommendation from Microsoft and I can confirm it works. I'm not allowed to post links it appears but you can find the article by searching "Microsoft’s Response to CVE-2021-44228 Apache Log4j 2" online.

by Jordan Tangy

Posted on Tue, 12/14/2021 - 15:12

I did what you said, and after this little change, I can't open models on Aris Architect..

Did it happen to you as well ?

by Eva Klein

Posted on Sun, 12/12/2021 - 11:36

Please visit the following link for more information: Empower portal

by Jon Klingaman

Posted on Tue, 12/21/2021 - 18:58

The latest Service Relaease for 14b, 15bc, and 16c, the readme files state they are for updating log4j to 2.16. Our understanding is that 2.17 is the actual fix for the vulnerability. Is there a active development to release new Service Releases for ARIS that include the 2.17 log4j version as a fix?

by Vassiliki Spentzou

Posted on Mon, 12/13/2021 - 10:24

Dear Eva

The link for ARIS Connect is not functional Can you pls suggest where to find the recommendations for ARIS Connect pls ?

MAny thanks

by Manny D.

Posted on Mon, 12/13/2021 - 10:39

same here, the Link is not working.

by Vassiliki Spentzou

Posted on Mon, 12/13/2021 - 12:53

Actually it seems the page was renewing. Now it should be fine

by Eva Klein

Posted on Mon, 12/13/2021 - 11:06

Thanks for the hint and sorry for the inconveniences. The link should work now. Could you please try again.

by Louise McDonagh

Posted on Tue, 12/14/2021 - 10:49

Is Aris Express affected by the Apache virus??

by Frank Weyand

Posted on Tue, 12/14/2021 - 11:32

Well, it is not a Virus, but to answer your question: no. The feature, that made the sotware vulnerable, comes an the version 2 of the log4j library. Express uses the first version, that does not have the vulnerable features.

Bye,

Frank

by Tobias Roth

Posted on Tue, 02/08/2022 - 12:57

Dear Frank,

we used also ARIS Express in our company. We deleted ARIS Express from all our computers, because our research showed us, that it uses "log4j__V2.3.jar".

Log4j is vulnerable from 2.0-beta9 til incl. 2.14.1.

So please tell me why it should not be vulnerable.

Thanks and best regards

Tobias

by Frank Weyand

Posted on Tue, 02/08/2022 - 13:15

Hi Tobias,

> So please tell me why it should not be vulnerable.

uh... V2.3 is not the version number of the log4j version... we use an internal webstart mechanism to name the files... the version 2.3 is the express version internally.

The log4j version is still an old 1.x version, not providing the vulnerabilities, because this is a much simpler version and less powerful. You can look inside the jar file and see in the manifest which version is actually is.

Bye,

Frank

by Tobias Roth

Posted on Wed, 02/09/2022 - 14:14

Thank you Frank for this information

by Harm Verschuren

Posted on Thu, 12/23/2021 - 12:32

Just dubble checking, is ARIS Client (the software running on your local PC) affected? Looking at Empower, to me it seems that only server software is affected. It this true?

Kidn regards,

by Runé Becker

Posted on Mon, 12/27/2021 - 14:39

Yes, a local installaiton of ARIS Architect (aka LOCAL) isn't affected of Log4J. Although there is no attack vector exposed the vulnerable classes are included but can't be subject for an attack as they aren't exposed.

Cheers
Rune

by John Bertolet

Posted on Tue, 01/18/2022 - 15:25

My understanding: the full fix for this is to update ARIS to version 10 SR16, or better yet SR17 which is expected later this month.

by Runé Becker

Posted on Tue, 01/18/2022 - 23:50

ARIS 10.0 SR17 is already available since end of last week!

Download SR17 from Software AG - Download Center

Cheers
Rune

by Veronika Ellermann

Posted on Wed, 01/19/2022 - 09:09

Hi Rune,

Thanks for that info :)
Do you also have a feature overview?
Best,

Veronika

by Runé Becker

Posted on Wed, 01/19/2022 - 17:58

SR17 like most odd service releases don't come with new features, but sum up all patches and bugfixes since the last feature-rich service release (=even number such as SR16).

Cheers
Rune

Apache Log4j - are we affected?

Featured achievement

Leaderboard

Follow us

View posts by tag