The following information is from a newsletter from Baral dated 12/15/2021.
https://www.baral-geohaus.de/content/wichtiger-sicherheitshinweis-zu-log4shell-update
In the meantime Log4j2.16.0 is in circulation. The following info about it:
- The use of Log4j 2.15.0 is sufficient for WebGEN and WebNAV, because we do not use the configuration under which 2.15.0 does not completely close the gap.
- Log4j 2.16.0 can be used with WebGEN and WebNAV (incl. SOLR) without any problems
The following information is from a newsletter from Baral dated 12/13/2021.
https://www.baral-geohaus.de/content/wichtiger-sicherheitshinweis-zu-log4shell/
This notification contains important information and instructions about BARAL Software and the critical vulnerability in log4j2
Also known as CVE-2021-44228, Log4Shell
BARAL also uses Log4j2 versions affected by the vulnerability (https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=6) in some of its products.
Below you will find an overview and specific instructions on how to deal with the respective products.
If there are any ambiguities or doubts, we recommend to remove the application (especially applications that are on the Internet) from the network.
The following application is affected:
- Web GEN
- Web NAV (from >= 15.0)
- SOLR
Action instructions for Web GEN and Web NAV:
Download the latest Log4J libraries https://portal.baral-geohaus.de/public/software/Log4J_2.15.0.zip
- Stop the Tomcat
- Replace respectively in WEB-INF/lib the log4j-api-2.XX.XX.jar, log4j-core-2.XX.XX.jar with the files in the download
- Restart the Tomcat
Action statement for SOLR:
SOLR is a thrid party application that is used in conjunction with Web NAV. To secure it, do the following:
- Download the latest Log4J libraries https://portal.baral-geohaus.de/public/software/Log4J_2.15.0_SOLR.zip
- Stop the SOLR
- Replace in each case in
- \contrib\prometheus-exporter\lib\
- \server\lib\ext\
- the log4j-api-2.XX.XX.jar, log4j-core-2.XX.XX.jar, log4j-1.2-api-2.XX.XX.jar and log4j-slf4j-impl-2.XX.XX.jar by the files in the download
- Restart the SOLR
If you have any questions or problems, please contact your account manager
The following applications are not affected but contain the corresponding library:
UTJSC - UT JavaScript Client
Recommended action
- Stop the Tomcat
- Delete the log4j-api-2.XX.XX.jar, log4j-core-2.XX.XX.jar in WEB-INF/lib.
- Restart the Tomcat
The following applications are not affected:
- Access Filter
- APAK - Automated construction information
- BARAL StreetSmart PlugIn
- Web CODI
Please note that ESRI software used in connection with our software may also be affected by the problem: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/.
ESRI writes in it that ArcGIS Enterprise/ArcGIS Server versions < 10.8 are affected by the problem.
Comments
0 comments
Please sign in to leave a comment.