What has happened?
Recently a critical vulnerability (CVE-2021-44228) was discovered in the Apache Log4j library. This vulnerability can be exploited remotely without authentication and allows remote code execution. It ranks a 10 out of 10 on the CVSS severity level. It has pretty much set the world aflame. You can get more about what happened here and an overview with more links here.
More vulnerabilities are being discovered (CVE-2021-4104, CVE-2021-45046), information on them can be found below.
Are panagenda products affected?
Yes. CVE-2021-44228 affects several of our products.
Update 2021-12-14: Another vulnerability related to Log4j has popped up: CVE-2021-4104. None of our products are vulnerable to this new CVE.
Update 2021-12-15: A third vulnerability, CVE-2021-45046, has been discovered. Some of our products are vulnerable. This CVE is only classed as a 3.7 out of 10, and can only be used to perform a DOS (denial-of-service) attack.
After the first vulnerability was published, we immediately started checking all our products for exposure to it. As was to be feared, many of our products use Log4j (or include third-party components that do), are therefore vulnerable, and need to be updated.
- ApplicationInsights, ConnectionsExpert, iDNA, and iDNA Applications use some Log4j directly. We will remove Log4j completely to resolve this and reliably prevent any further issues.
- GreenLight, iDNA Applications, and OfficeExpert include Metabase which uses Log4j. We will update the Metabase version in all these products to a safe release.
Regarding Metabase
Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0).
The more recently discovered CVE-2021-45046 requires Log4j 2.16.0 for which no Metabase release is available yet. However: this newer CVE is far less critical, and according to Metabase developers it should not even be affected by it. Still, we are waiting for a new Metabase version and will create new releases once it is available just to be as safe as possible. In the meantime, if you are unsure, you can update to the fix version for the original CVE and turn off Metabase in the affected products
Overview and Status
Product | CVE-2021-44228 | Fix Status | Fix Release | CVE-2021-45046 | Fix Status (all CVEs) | Fix Release | How To Upgrade | ||
---|---|---|---|---|---|---|---|---|---|
ApplicationInsights | vulnerable - fix available | released - Dec 14 | 1.6.3 | vulnerable - fix available | released - Dec 14 | 1.6.3 | Upgrade ApplicationInsights (≥ v1.5.1) | ||
ConnectionsExpert 2.x | vulnerable - fix available | released - Dec 15 | 2.1.3 | vulnerable - fix available | released - Dec 15 | 2.1.3 | Upgrade ConnectionsExpert (> v2.0) | ||
ConnectionsExpert 3.x | vulnerable | in testing | 3.0.2 | vulnerable | in testing | 3.0.2 | Upgrade ConnectionsExpert (> v2.0) | ||
GreenLight | vulnerable - fix available | released - Dec 15 | 4.5.0 | Upgrading GreenLight - only for >=3.5.x | |||||
iDNA | vulnerable | in testing | 2.11.1 | vulnerable | in testing | 2.11.1 | please contact support | ||
iDNA Applications | vulnerable - fix available | released - Dec 13 | 2.1.2 | potentially vulnerable | waiting for Metabase | 2 | Upgrading iDNA Applications | ||
MarvelClient | safe | safe | |||||||
OfficeExpert | vulnerable - fix available | released - Dec 14 | 4.3.3 | Upgrading OfficeExpert | |||||
OfficeExpert EPM | safe | safe | |||||||
SecurityInsider / GroupExplorer | safe | safe | |||||||
SmartChanger | safe | safe | |||||||
Document Properties Plugin | safe | safe | |||||||
LogViewer Plugin | safe | safe | |||||||
Network Monitor Plugin | safe | safe | |||||||
PrefTree Plugin | safe | safe | |||||||
Tabzilla Plugin | safe | safe | |||||||
Timezone Helper Plugin | safe | safe |
(Table will be continuously updated)
What happens now? What do I need to do?
We are currently in the process of creating new releases that contain the necessary fixes. Releases for some products are already out, and we are releasing the rest as fast as safely possible. Progress will be tracked in this knowledge base article. You can also follow our corresponding blog post.
You will need to update any products that are affected. Our service and support teams are in the process of contacting all our customers to answer questions and help where needed.
Please send requests and questions to support@panagenda.com
We will keep updating this post with more information as it becomes available.