Product Shortcuts

OfficeExpert

MarvelClient

iDNA Applications

ConnectionsExpert

SecurityInsider

Versions Compared

Old Version 56

changes.mady.by.user markus sablatnig [panagenda]

Saved on

compared with

New Version Current

changes.mady.by.user markus sablatnig [panagenda]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

4.5.1Metabase vulnerable 3)
ProductCVE-2021-44228Fix StatusFix Release 1)
CVE-2021-45046 / CVE-2021-45105Fix StatusFix Release 2)
How To Upgrade
ApplicationInsightsvulnerable - fix availablereleased - Dec 141.6.3
vulnerable - fix availablereleased - Dec 141.6.3
Upgrade ApplicationInsights (≥ v1.5.1)
ConnectionsExpert 2.xvulnerable - fix availablereleased - Dec 152.1.3
vulnerable - fix availablereleased - Dec 152.1.3
Upgrade ConnectionsExpert (> v2.0)
ConnectionsExpert 3.xvulnerable - fix availablereleased - Dec 163.1.3
vulnerable - fix availablereleased - Dec 163.1.3
Upgrade ConnectionsExpert (> v2.0)
GreenLightvulnerable - fix availablereleased - Dec 154.5.0
vulnerable - fix available

released - Dec 15

4.5.01


Upgrading GreenLight - only for >=3.5.xMetabase vulnerable 3)waiting for Metabase
iDNAvulnerable - fix availablereleased - Dec 162.11.1
vulnerable - fix availablereleased - Dec 162.11.1
Please contact support - all customers should be migrated to iDNA Applications already.
iDNA Applicationsvulnerable - fix availablereleased - Dec 132.1.2
vulnerable - fix availablereleased - Dec 132.2.1.2
Upgrading iDNA Applicationswaiting for Metabase2.2.0
MarvelClientsafe


safe



OfficeExpertvulnerable - fix availablereleased - Dec 144.3.3
vulnerable - fix availablereleased - Dec 144.3.3
Upgrading OfficeExpert





Metabase vulnerable 3)waiting for Metabase4.3.4

OfficeExpert EPMsafe


safe



SecurityInsider / GroupExplorersafe


safe



SmartChangersafe


safe













Document Properties Plugin

safe


safe



LogViewer Pluginsafe


safe



Network Monitor Pluginsafe


safe



PrefTree Pluginsafe


safe



Tabzilla Pluginsafe


safe



Timezone Helper Pluginsafe


safe



...

Note
titleRegarding Metabase

Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0 and protects from the remote code execution exploit). Releases with this fix can be found in the left part of the table above. (column marked with 1) )

The more recently discovered CVE-2021-45046 requires Log4j 2.16.0, and the even more recent CVE-2021-45105 requires 2.17.0. Both CVEs are fixed in our own code (release in column marked with 1) ), but we are waiting for the Metabase release which includes 2.17.0 at the moment for the our next release.
Until then, you can go with the release that fixes the problem in our code and manually turn off Metabase for now:

  • Connect to the appliance with ssh or putty

  • For GreenLight:

    Code Block
    docker stop gl_metabase

  • For OfficeExpert and iDNA Applications:

    Code Block
    docker stop panagenda_metabase

What happens now? What do I need to do?

We are currently in the process of creating new releases that contain the necessary fixes. Releases for some products are already out, and we are releasing the rest as fast as safely possible. Progress will be tracked in this knowledge base article.

You will need to update any products that are affected. The releases in the left part of the table (column marked with 1) ) are the important update to protect you against the more severe CVE and should be applied ASAP. The last release to fix less severe issues in Metabase is in the works.

Our service and support teams are in the process of contacting all our customers to answer questions and help where needed. Please send requests and questions to support@panagenda.com

...