Log4j2 Vulnerabilities - CVE-2021-45105 and CVE-2021-44228

In response to the Log4j2 vulnerabilities CVE-2021-45105 and CVE-2021-44228 within Apache environments, a software we use to power our intranet solution (and impacts version 15.0 or higher), IC has created an automated solution for updating your software. 

Please update your system as below: 

Tomcat 9.0.20 and higher

We have two Tomcat upgrade packages, please see below.

https://s3.amazonaws.com/ProductUpdates/update-tomcat9.0.50.zip
https://s3.amazonaws.com/ProductUpdates/update-tomcat9.0.73.zip

IMPORTANT: You must update to 9.0.50 first if you are on an earlier version, due to changes in the code from Tomcat.

  1. Create snapshot / checkpoint of server as back-out plan in case of issues
  2. Download file
  3. Unblock the zip file (right click, properties, uncheck block and save)
  4. Unzip file
  5. Right-click on the start.bat file and select "Run as Administrator"
  6. Confirm updated tomcat via Lucee\Web admin page

Elasticsearch 6.6.2

Steps: 

  1. Save this zip file to the server 
  • Look for update-es-files-ps-2-18-0.zip at the bottom of the page if this link doesn't work
  1. Right-click file > click properties > check box beside 'unblock' and click 'apply' - if applicable
  2. Extract the zip contents to C:\Temp
  3. Open the update-es-files-ps-2-18-0 folder
  4. Right-click on the start.bat file and select "Run as Administrator" 
  • This action will open a new command prompt window and log the events of the update process to the screen

When complete, test that the search function is working on your intranet, to ensure that the process has restarted the application. 

Lucee 5.3.2.77 and higher

In the version 5.3.10.97 and higher, the vendor Lucee cleaned out the remaining log4j dependencies that were notifying scanners of key vulnerabilities.  At this version, there are some potential incompatibilities with extensions that can affect certain pieces of functionality.  Errors are to be expected in these components (described below). 

Note: This assumes that your Lucee version is already at least 5.3.8.201 

Steps: 

  1. Create snapshot / checkpoint of server as back-out plan in case of issues
  2. Update Lucee to 5.3.8.201 in the Lucee\Server interface
    https://support.intranetconnections.com/hc/en-us/articles/115012060627-Railo-Lucee-Configuration#Update-Lucee

  3. Uninstall ESAPI extension through interface in Lucee Server Admin > Applications > ESAPI
  4. Identify the path to the Lucee service via Windows Services. The new Lucee service is called Apache Tomcat 9.0 Lucee
  5. Stop the service
  6. Delete unneeded ESAPI extension file (eg. esapi-extension-2-1-0-17-SNAPSHOT.jar) from Lucee bundles directory on web server hard drive
    Location can be found via the Apache Tomcat 9.0 Lucee Windows Service
    Two default locations are
    C:\sqbox\lucee\tomcat\lucee-server\bundles OR
    C:\lucee\tomcat\lucee-server\bundles
  7. In the Lucee path, in lucee\lib, remove the old jar files leaving the latest version in place
  8. In lucee\tomcat\lucee-server\patches, remove all files
  9. Please download the Lucee 5.3.10.97.JAR from https://download.lucee.org (under the Release column) to c:\temp on the the server, and unblock it.
  10. Stop the service.
  11. Copy the JAR file to the default locations shown below
    C:\sqbox\lucee\lib OR
    C:\lucee\tomcat\lib
  12. Start the Lucee service
  13. Test functionality (in intranet, go to online forms app, click Search, and type in any keyword and search. If there is no error, you are good to go)
  14. Rejoice!

Post-update error mitigation: (ONLY REQUIRED IF THE ABOVE STEPS DO NOT FIX THE ISSUE)

If the above update to Lucee does not fix Directory Search issues etc. please install ESAPI 2.2.0.1 through interface (Lucee Server Admin > Applications > ESAPI). You might need to uninstall the ESAPI application first.

Instructions on how to change extension versions

Functionality that can be affected by this version of Lucee (grouped by the extension that it relates to): 
 
(PDF extension) 


 Form submission PDF export: In an individual form submission, clicking the PDF to export a file triggers an error. 
 
Mitigation step: Change PDF extension version to 1.0.0.94. 

 

(Compress extension) 


Patch application: During the patch process, the system extracts files from the zip file and places them on the web server 
 
Mitigation step: Change Compress extension version to 1.0.0.2 

 

(ESAPI extension) 
Fix mentioned above, below are the previous issues experienced.
In-app search:  Global search (the search bar in top right corner) is not affected.  The search from within applications like Documents and Forms can trigger an error. 

Error logging: When an error is triggered in the intranet, it adds extra detail on-screen if that option is selected.  This detail may be reduced. 

Mitigation step: This extension is not working compatibly at the current version. Please check this space in the future for mitigation steps. 

 

If the update which we are providing today is not performed within your system, remote attackers could exploit the vulnerability and execute arbitrary code through log messages. 

 
We thank you for your patience as our team worked to create the best solution for you, our valued customers. If you have further questions, please let us know by contacting our Support team. 

 

Related articles