x Want to participate? Join the group to interact
  • Locked Locked
  • Replies 0 replies
  • Subscribers 54 subscribers
  • Views 861 views
  • Users 0 members are here
Browse Forums
Announcements
321
topics
19
replies
General Discussion
81
topics
179
replies
Announcement!
This is a notification for product news or an alert. If you have a question, please start a new discussion
Richard Perrins

ALERT : Log4J Vulnerability (CVE-2021-44228)

Posted By

The ONLY impacted component in Sage X3 is Elasticsearch.

Sage X3 V11 and V12 use Elasticsearch 7.9 and above, which is part of the Elasticsearch versions impacted by this issue. Sage X3 Version 9 or earlier are not impacted.

On installations where the Sage X3 security best practice recommendations are implemented, the risk is already mitigated because Elasticsearch is not exposed to the internal or external networks and is only opened to connections from the Syracuse node.

If you are not sure that Sage X3 security guidelines have been followed there are two steps you can take:
1.  We strongly recommend that all customers follow the Sage X3 security best practices outlined in the Sage X3 online help, especially concerning the Elasticsearch component.  This in itself will provide suitable protection.
2.  An additional immediate mitigation is to set the JVM option "-Dlog4j2.formatMsgNoLookups=true" on the Elastic Search server as described in this Elasticsearch documentation (https://www.elastic.co/guide/en/elasticsearch/reference/7.16/advanced-configuration.html#set-jvm-options) This change then requires a restart of the Elasticsearch service.   This line would be added to the existing "jvm.options" file located in the  "<ELASTICSEARCH_HOME>\config" directory

More specific technical details about this issue and its impact on Elastic Search are discussed in the Elastic Search documentation at https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 which at the time of writing confirms this advice stands in relation to CVE-2021-45046 also.

Sage are currently validating Elasticsearch 7.16.1 for use with Sage X3, which already includes the JVM option fix for this vulnerability.

NOTE: If you are using Version 11 patch 18 or earlier with Elastic Search 6.8, the above advice will also be relevant to you, but in this case you should follow the security best practice.  You may also want to consider upgrading to the latest Sage X3 patches in order to utilise the latest and best levels of security and performance.

*Community Hub is the new name for Sage City