In response to the Log4j2 vulnerabilities CVE-2021-45105 and CVE-2021-44228 within Apache environments, a software we use to power our intranet solution (and impacts version 15.0 or higher), IC has created an automated solution for updating your software.
Please update your system as below:
- Save this zip file to the server
- Look for update-es-files-ps-2-18-0.zip at the bottom of the page if this link doesn't work
- Right-click file > click properties > check box beside 'unblock' and click 'apply' - if applicable
- Extract the zip contents to C:\Temp
- Open the update-es-files-ps-2-18-0 folder
- Right-click on the start.bat file and select "Run as Administrator"
- This action will open a new command prompt window and log the events of the update process to the screen
When complete, test that the search function is working on your intranet, to ensure that the process has restarted the application.
In the version 22.214.171.124, the vendor Lucee cleaned out the remaining log4j dependencies that were notifying scanners of key vulnerabilities. At this version, there are some potential incompatibilities with extensions that can affect certain pieces of functionality. Errors are to be expected in these components (described below).
Note: This assumes that your Lucee version is already at least 126.96.36.199.
- Take a checkpoint/snapshot of the server before proceeding.
- Download the JAR file for 188.8.131.52 from the Lucee site. Link
- Identify the path to the Lucee service. Stop the service.
- In the Lucee path, in lucee/lib, remove the old jar files and add the 184.108.40.206 file. Make sure it is unblocked.
- In lucee/tomcat/lucee-server/patches, remove all files.
- Start Lucee.
Post-update error mitigation:
Functionality that can be affected by this version of Lucee (grouped by the extension that it relates to):
Form submission PDF export: In an individual form submission, clicking the PDF to export a file triggers an error.
Mitigation step: Change PDF extension version to 220.127.116.11.
Patch application: During the patch process, the system extracts files from the zip file and places them on the web server
Mitigation step: Change Compress extension version to 18.104.22.168
In-app search: Global search (the search bar in top right corner) is not affected. The search from within applications like Documents and Forms can trigger an error.
Error logging: When an error is triggered in the intranet, it adds extra detail on-screen if that option is selected. This detail may be reduced.
Mitigation step: This extension is not working compatibly at the current version. Please check this space in the future for mitigation steps.
If the update which we are providing today is not performed within your system, remote attackers could exploit the vulnerability and execute arbitrary code through log messages.
We thank you for your patience as our team worked to create the best solution for you, our valued customers. If you have further questions, please let us know by contacting our Support team.