x Want to participate? Join the group to interact
  • Locked Locked
  • Replies 0 replies
  • Subscribers 9 subscribers
  • Views 589 views
  • Users 0 members are here
Browse Forums
Announcements
219
topics
26
replies
General Discussion
588
topics
1k
replies
HR General Discussion
228
topics
155
replies
Announcement!
This is a notification for product news or an alert. If you have a question, please start a new discussion
AndrewV

Log4j 2 vulnerability

Posted By

The ONLY impacted component in Sage X3 is Elasticsearch.

Sage X3 V11 and V12 use Elasticsearch 7.9 and above which is part of the Elasticsearch versions impacted by this issue. Sage X3 Version 9 or earlier are not impacted.

On installations where the Sage X3 security best practice recommendations have been followed, there is no risk because Elasticsearch is not exposed to the internal or external networks and is only opened to Syracuse.

If you are not sure that Sage X3 security guidelines have been followed:

  • We strongly recommend that all customers follow the Sage X3 security best practices outlined in the Sage X3 online help, especially concerning the Elasticsearch component.

  • An immediate mitigation is to set the JVM option -Dlog4j2.formatMsgNoLookups=true on the Elastic Search server as described in this Elasticsearch documentation and to restart Elasticsearch.

Elasticsearch 7.16.1 including the vulnerability fix is being validated.

*Community Hub is the new name for Sage City