2021-12-10 Log4J Remote Lookup Vulnerability

iGrafx has released new versions of the Cloud and Datacenter solutions (see https://doc.igrafx.com/doc/release-notes/release-notes-datacenter) to address CVE-2021-44228 as described in https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and detailed in https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ as well as CVE-2021-45046, detailed in https://nvd.nist.gov/vuln/detail/CVE-2021-45046.

The versions of the iGrafx Platform affected by this vulnerability are:
v16.2.1.3313 - v17.8.3.831.3679

The iGrafx Desktop Client is NOT affected by this and does not need to be updated or fixed.

iGrafx Response for Managed Customers

Cloud Customers

All cloud instances have been updated with a new version of the iGrafx Platform, which includes Log4J version 2.16.0. The updated platforms are protected from the severe vulnerability. We are actively verifying none of our platforms has been a target of the described attack vector.

iGrafx Response for Internal Infrastructure

All production internal systems have been patched.

• The remaining systems will get patched in a sequence that follows risk severity priority as determined by our Director of IT and the Dev Ops Team.

iGrafx Response for Data Center/On-Premises Customers

Since this vulnerability presents a serious potential threat, we strongly recommend that you mitigate it immediately.

When updating your iGrafx Platform, make sure to update all nodes (in case of a clustered setup) and all other staging environments (like UAT, Staging etc.)

The following options for remediation are available to you:

Upgrading to the latest iGrafx Platform 17.8.3.832.3680 or newer

• Go to our website and download the latest version at https://www.igrafx.com/services/support/platform-product-download/
• Update your platform following the steps as described in https://doc.igrafx.com/doc/installation-guide/upgrading-the-igrafx-platform like any normal upgrade

This will mitigate both CVEs. 

Removing the vulnerable class from your deployment

Please follow the instructions detailed in Steps to remediate Log4j 2 CVE-2021-44228 & CVE-2021-45046 without upgrade to manually fix your deployment if you cannot upgrade to the latest release.

This will mitigate both CVEs. 

Changing JVM parameters (applicable for iGrafx Platform 17.4.0 up to 17.8.3.831.3679)

If performing the steps to remove the JndiLookup.class manually from the log4j-core-2.x.jar file are not possible, CVE-2021-44228 can be mitigated for iGrafx Platform versions v17.4.0 to 17.8.3.831.3679 by using the Java Options argument: “-Dlog4j2.formatMsgNoLookups=true” for the iGrafx Platform service. See instructions below.

This WILL NOT mitigate CVE-2021-45046.

The steps are:

1. Stop the iGrafx Platform Service
2. Go to the windows folder of your installation and open a command line there
3. Type manage_service.bat iGrafxPlatform  into the command line (if your service name is not the default, you will need to change the service name in this command from iGrafxPlatform to your custom name)
4. Switch to the Java tab
5. In the Java Options input field, add a new line with the following Java parameter:
6. -Dlog4j2.formatMsgNoLookups=true
7. Press OK and close the command line
8. Start the service again.