ACTICO is actively responding to the reported remote code execution vulnerability CVE-2021-44228 in the Apache Log4J2 Java library dubbed Log4Shell, and also the newly discovered vulnerabilities CVE-2021-45046 in log4j 2.15.0 and CVE-2021-45105 in Log4J 2.16.0.
We are investigating and taking action for ACTICO as an enterprise, ACTICO products and ACTICO services that may be potentially impacted, and will continually publish information to help customers detect, investigate and mitigate attacks, if any, to their ACTICO products and services.
IMPORTANT:
We strongly recommend to apply the mitigations proposed by Log4J (https://logging.apache.org/log4j/2.x/security.html) and install updates provided by ACTICO!
For information about specific ACTICO products and versions see below.
ACTICO
ACTICO is continuing to inventory our products and systems potentially impacted by the vulnerability. As necessary, we are updating to Log4J version 2.16, which fixes the vulnerability, and applying mitigations in the interim, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability.
ACTICO Software Products
ACTICO is continuing a product-by-product analysis for Log4J impacts. If an ACTICO Software product is impacted, there will be an update on this news post as a remediation or fix becomes available. Such on-premise ACTICO products will then have to be updated by the customer.
CVE-2021-44228 (log4j < 2.15.0):
We have found several ACTICO products to contain vulnerable versions of the log4j library and provide updates of these products now containing log4j 2.16.0.
CVE-2021-45046 (log4j 2.15.0):
We have skipped this version of the log4j library and provided updates of ACTICO products containing log4j 2.16.0.
CVE-2021-45105 (log4J 2.16.0):
We have found ACTICO products not to be vulnerable by this vulnerability with the default logging configuration contained in the products. The configurations do not contain any context lookups.
That’s why ACTICO is currently not planning to provide an emergency update of their products with log4j 2.17.0, but will update to 2.17.0+ at a later time.
ACTICO Professional Services
ACTICO Professional Services will continue to work directly with its clients in support of the remediation of custom applications and services through its support processes.
ACTICO Cloud and as-a-Service Products
For ACTICO Cloud services, ACTICO is remediating managed as-a-service Cloud offerings as applicable, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability.
ACTICO is continuing to assess and remediate any remaining services using Log4J and validate that mitigating controls remain effective.
If you have specific questions, please send an email to support@actico.com to open a ticket.
ACTICO Platform 9.1
ACTICO Platform 9.1 components are affected by CVE-2021-44228.
For Model Hub, Workplace and Execution Server: Add the recommended mitigation to the start scripts.
An updated release is planned for Saturday Dec 18 2021 which uses log4j 2.16.0. We recommend to update, but also recommend to leave the mitigations in place.
Be aware that your model projects can define their own library dependencies, possibly including the problematic versions of Log4J2. This is beyond the control of ACTICO. Even when using the upcoming ACTICO Platform 9 release which only includes log4j 2.16, you might still be affected when your models still have a dependency to a vulnerable Log4J2 version.
It is for that reason that the start scripts of upcoming Model Hub, Workplace and Execution Server will contain the system property log4j2.formatMsgNoLookups=true. We will continue to include this setting also for the future to keep you safe and enable you to continue to use existing models and libraries.
Additionally, the new Engine has a mechanism to use its own log4j 2.16.0 version, even if the model defines a dependency to an older one.
Runtimes: Rules Runtime and Rules DB Integrator (aka DBC Runtime) are not affected, but DMN Runtime is affected.
Customers using ACTICO Engine in their own application are advised to also set the Java system property log4j2.formatMsgNoLookups=true or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true to the application embedding the Engine. This has to be kept as long as any model still uses a vulnerable Log4J2 library version.
Model Hub 8.1 and Modeler 8.1
Model Hub 8.1 and Modeler 8.1 are affected by CVE-2021-44228.
For Model Hub: Add the recommended mitigation to the start scripts.
An updated Model Hub 8.1 release is planned for Friday, Dec 18 2021 which uses log4j 2.16.0.
An updated Modeler 8.1 release is planned for Friday, Dec 17 2021 which uses log4j 2.16.0.
Runtimes are not affected.
Workplace 3.8
Workplace 3.8 is affected by CVE-2021-44228.
Add the recommended mitigation to the start scripts.
A new release is planned for Wednesday, Dec 15 2021 which uses log4j 2.16.0.
Be aware that your rule projects can define their own library dependencies, possibly including the problematic versions of Log4J2. This is beyond the control of ACTICO. Even when using the upcoming Workplace 3.8 release which only includes log4j 2.16, you might still be affected when your models still have a dependency to a vulnerable Log4J2 version.
It is for that reason that the start script of upcoming Workplace 3.8 releases will contain the system property log4j2.formatMsgNoLookups=true. We will continue to include this setting also for the future to keep you safe and enable you to continue to use existing models and libraries.
ACTICO Rules 6.8 (Modeler, Team Server, Execution Server, Identity Management)
ACTICO Rules 6.8 is not affected.
We will not provide an update.
Be aware that your rule projects can define their own library dependencies, possibly including the problematic versions of Log4J2. This is beyond the control of ACTICO. So you might still want to apply the recommended mitigations to the application server (e.g. Tomcat) running Execution Server.
Visual Rules 7.2 / 8.0
Visual Rules 7.2 / 8.0 are not affected.
We will not provide an update.
Be aware that your rule projects can define their own library dependencies, possibly including the problematic versions of Log4J2. This is beyond the control of ACTICO.
So you might still want to apply the recommended mitigations.