Weltkugel - Pixel

Apache Log4J CVE-2021-44228: Updates

A critical vulnerability has been discovered in the widely used logging library Apache Log4J 2 in versions 2.0 to 2.14 inclusive.

Latest update: 26.01.2022, 3:00 PM
Create date: 13.12.2021, 9:00 AM

Content of the last updates: see changelog

Overview of recently released versions of log4j

In the last two weeks, since the initial announcement of the log4shell vulnerabilities, more security problems have been fixed in the log4j2 libraries.

Here we give guidance on how to best proceed with the log4j versions deployed with your IntraFind components.

log4j-2.0 - 2.14
These versions contain the original log4shell vulnerabililty. We strongly recommed to update to the recent version of log4j using our update tool.

log4j-2.15
The vulnerabilities found in this version are much less applicable to IntraFind products than in earlier versions of log4j. Still, we recommend to update to the most recent version to avoid risks even if they are small.

log4j-2.16
In this version, problems were detected in features of log4j that are not used by IntraFind products. Still, for a clean and final fix of the log4shell problem, we recommend updating to the latest version 2.17.

log4j-2.17
In this version, a less serious security risk has been identified that will not cause any problems under normal circumstances and is not related to the original log4shell issue. In the spirit of a clean and final elimination of the log4shell issue, you can update to the current version 2.17.1 using the update tool.

log4j-2.17.1
This is the latest version of log4j rolled out with our update tool.

Which IntraFind products are affected?

iFinder

Since iFinder version 5.4.2 (March 2021), the library log4j2 is part of the product. iFinder is therefore affected. Older versions of iFinder (up to 5.2.0) are affected through Elasticsearch. iFinder releases older than 5.2.0 are not affected.

Known affected versions

  • 5.2.0
  • 5.2.1
  • 5.3.0
  • 5.3.1
  • 5.3.2
  • 5.3.3
  • 5.3.4
  • 5.3.5
  • 5.4.0
  • 5.4.1
  • 5.4.2
  • 5.4.3
  • 5.4.4
  • 5.4.5
  • 5.4.6
  • 5.5.0

Contract Analyzer

The Contract Analyzer is already protected.
 
Topic Finder

Known affected versions

  • 5.0.4
  • 5.0.5

Tagging Service

Known affected versions

  • 2.6.5
  • 2.6.6

iFinder Search for Confluence

Known affected versions

  • if-pl-ifcs7-5.4.2.0_7.0.1-7.11.1.0.0.obr
  • if-pl-ifcs7-5.4.3.5_7.0.1-7.11.1.2.5.1.obr
  • if-pl-ifcs7-5.4.3.5_7.0.1-7.11.1.2.5.7.obr
  • if-pl-ifcs7-5.4.4.0_7.0.1-7.12.1.3.0.obr
  • if-pl-ifcs7-5.4.4.4_7.0.1-7.12.1.3.4.obr
  • if-pl-ifcs7-5.4.5.0.obr

Patch releases for all affected Versions are available. You can download Version 5.4.5.3-log4j-patch directly from the Atlassian Confluence Marketplace. For all other versions, please contact our support team.
 
The iFinder Search for Confluence plugin uses the Confluence logging infrastructure. Please refer to Atlassian for assessments of vulnerability and possible mitigations: https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html.

IntraFind linguistics plugin for Elasticsearch
The IntraFind linguistics plugin runs inside the Elasticsearch infrastructure, sharing the logging framework. Since version 5.0 Elasticsearch uses log4j2. Custom Java Security Manager configurations necessary for the plugin aggravate the vulnerability. To protect your Elasticsearch installation, please either replace the log4j jars with the current version, or add the respective option to disable the log4j feature. See below for more detailed instructions.

How can IntraFind systems be protected?

IntraFind will provide log4j2 patch releases for all affected and still supported product versions in the short term.

Available Security patches

For our Release Notes you need an Extranet account. If you do not have an account yet you can request it here.

Please check this page for updates.

Until then, there are two possible mitigation strategies described below. Please contact our professional services team if you need further assistance. 

Preferred Solution: Replace the log4j2 libraries with the latest release

The vulnerability can be fixed by replacing all log4j libraries of your IntraFind components with the latest version of this library (including the vulnerability closure).
 
We provide a tool for this purpose that performs this update automatically:
Please download the tool here: https://intrafind.org/log4j/
Follow the instructions in the file Readme.pdf in the download folder above, or directly here on Github.
Follow recent developments and updates in the changelog.pdf and here on Github.

Alternative solution: Disabling the feature in log4j configuration

Using the if-log4shell-updater tool is the preferred way to secure your IntraFind products against exploits of the log4shell vulnerability.

Here we suggest an alternative widely accepted way to prevent the vulnerability, which is to disable the relevant functionality in log4j using a Java property or system environment variable (cf. Informations from BSI, German).

We recommend to use it in cases where using the if-log4shell-updater tool is not feasible: This method does not require files to be replaced and is also suitable to neutralize the vulnerability.

Please find more details here on Github.

Updates

We update this page regularly, you will get the latest information about the situation here.
In urgent cases, please contact your direct contact person at IntraFind.
 

Changelog

Changes in the update tool: please check the updates in our update tool right here in Github.

--------------------

Updates on this website

01/26/2022, 3:00 pm: New security patch for version 5.4.1

01/17/2022, 3:30 pm: New log4j version log4j-2.17.1

01/13/2022, 3:00 pm: New security patch for version 5.4.2

12/23/2021, 11:30 am: Overview on how to deal with the different log4j2 versions.

12/22/2021, 13:30 pm: New security patch for version 5.4.5

12/21/202, 10:00 am: New security patch for version 5.3.4

12/21/202, 11:00 am: New security patch for version 5.4.4