Announcement/Log4Shell: Difference between revisions

(Created page with "==Event== Log4j vulnerability *https://nvd.nist.gov/vuln/detail/CVE-2021-44228 *[https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf;j...")
Tag: 2017 source edit
 
m (Text replacement - "BlueSpice Cloud" to "BlueSpice cloud")
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Featurepage|featured=false|featuredesc=Important information regarding the log4j security flaw.|featurestart=12/21/2021}}
==Event==
==Event==
Log4j vulnerability  
Log4j vulnerability  
Line 12: Line 13:
**[[#Older versions of BlueSpice 3|Older on-premise installations]] =>  <span class="col-red">'''version of Elasticsearch could be vulnerable'''</span>
**[[#Older versions of BlueSpice 3|Older on-premise installations]] =>  <span class="col-red">'''version of Elasticsearch could be vulnerable'''</span>
**[[#Inspected components in the Docker image|The Docker version]] => <span class="col-turquoise">'''not affected'''</span>
**[[#Inspected components in the Docker image|The Docker version]] => <span class="col-turquoise">'''not affected'''</span>
*[[#BlueSpice Cloud|BlueSpice Cloud]] => <span class="col-turquoise ve-pasteProtect">'''not affected'''</span>
*[[#BlueSpice cloud|BlueSpice cloud]] => <span class="col-turquoise ve-pasteProtect">'''not affected'''</span>


This is true for instances that we have installed. <span class="col-red">'''Customers have to check their part of the installation'''</span> (i.e., OS, additional packages, etc.)
This is true for instances that we have installed. <span class="col-red">'''Customers have to check their part of the installation'''</span> (i.e., OS, additional packages, etc.)
Line 57: Line 58:
*https://security-tracker.debian.org/tracker/CVE-2021-44228
*https://security-tracker.debian.org/tracker/CVE-2021-44228


===<span class="mw-headline" id="BlueSpice_Cloud" style="box-sizing: inherit;">BlueSpice Cloud</span>===
===<span class="mw-headline" id="BlueSpice_Cloud" style="box-sizing: inherit;">BlueSpice cloud</span>===


*Swarmpit => <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''not affected'''</span>
*Swarmpit => <span class="col-turquoise ve-pasteProtect" style="color: rgb(37, 149, 150)">'''not affected'''</span>

Latest revision as of 10:50, 7 June 2024

Event

Log4j vulnerability

Current vulnerability assessment in BlueSpice (overview)

This is true for instances that we have installed. Customers have to check their part of the installation (i.e., OS, additional packages, etc.)

Detailed assessment

Current version

Older versions of BlueSpice 3

  • Elasticsearch => not vulnerable
    https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
    • Versions 6.8.9+ (released on 13th May 2020) => not vulnerable
    • Version 6.4.0 - 6.8.8: Update of Elasticsearch is recommended.
      => not vulnerable (updating the version during the next BlueSpice update is recommended)
      => vulnerable outside of BlueSpice
    • Versions 6.3.x and below: Update of Elasticsearch is recommended.
      => not vulnerable (updating the version during the next BlueSpice update is recommended)
      => vulnerable outside of BlueSpice

Independently of the Elasticsearch version in use, BlueSpice is not vulnerable due to the setup of Elasticsearch:

  • No direct access: BlueSpice uses Elasticsearch as an internal service. We set up Elasticsearch in such a way that there cannot be any direct access. The only way to access Elasticsearch if you are not working directly on the server is through BlueSpice, which means there is a very controlled set of access vectors. These are search queries and content which is to be indexed.
  • No logging of data: We use log level WARN on Elasticsearch, which means no data can find its way to the logs. So there is no way an attacker can add custom information to the logs.

No pass-through of user data: All communication between BlueSpice and Elasticsearch is done user-agnostic. There is no way Elasticsearch can see which user triggers the communication. The user-agent is restricted to the BlueSpice system user.

This is true even if you are running on an older, vulnerable version of Elasticsearch. So we see no urgent action required. Nonetheless, it is recommended to update your Elasticsearch to a non-vulnerable version with the next update of BlueSpice.

If you have changed the Elasticsearch setup to a different log level or loosened the restrictions on Elasticsearch access, you have to check the setup.

BlueSpice 2

Inspected components in the Docker image

The list of Docker files in the activated packages has been inspected. => not vulnerable

BlueSpice cloud

  • Swarmpit => not affected
  • Drone => not affected


Related links





To submit feedback about this documentation, visit our community forum.