Are the EcoStruxure IT Gateway Server and Database Server Services affected by CVE-2021-44228?

LarryK · ‎2021-12-11

I have not seen any postings, nor received any emails from APC regarding CVE-2021-44228.

Are the ExcoStructure IT Gateway Server or the Database Server affected?

What mitigation steps, if any, are necessary?

Are we in the clear?

Thanks!

Larry

LarryK · ‎2021-12-14

From the Support crew:

We are happy to announce that we have release our latest version of the EcoStruxure IT Gateway to specifically address the latest Log4j2 vulnerability(CVE-2021-44228). For gateways that are enabled for automatic upgrades, we have started to upgrade gateway. If you require a faster response, our recommendation would be to manually upgrade your gateway leveraging the URL listed below.

Please find the download link below.

1.13.1.5 Download Link
https://ecostruxureit.com/download-and-set-up-ecostruxureit-gateway/

Please visit our What's New section to obtain release notes as they become available.

Release Notes
https://helpcenter.ecostruxureit.com/hc/en-us/sections/360002440014-What-s-new-in-EcoStruxure-IT-Gat...

Thank You

See Answer In Context

jonathans · ‎2021-12-12

I believe the answer is yes because the Apache version installed on our site in vulnerable to this CVE.

Would be nice to have an answer.

I am shutting down this application today.

APC_Steve · ‎2021-12-13

Hello @LarryK ,

No, the version of log4j used in the current version of DCE is not vulnerable according to the CVE. We are still awaiting any official company-wide response from our PSO office which, when available, should be posted here:

https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

Thanks,

Steve

Jef · ‎2021-12-13

Hi Larry,

Engineering team is currently investigating whether the current Gateway is actually vulnerable in its configuration. It is not believed so at the moment. Will get back to this post as soon as we have more updates.

Kind regards,

Jef

-----

update,

When ITE gateway is installed, it does include a version of log4j (2.14.0.1) which is included in the vulnerability list, however the gateway software runs on the java platform which is configured to disable remote service calls, thus its not possible to execute the exploit from gateway unless someone manages to change gateways java configuration.

The gateway team is testing a gateway update which includes updated log4j release to close this vulnerability permanently.

Kind regards,

Jef

LarryK · ‎2021-12-14

From the Support crew:

We are happy to announce that we have release our latest version of the EcoStruxure IT Gateway to specifically address the latest Log4j2 vulnerability(CVE-2021-44228). For gateways that are enabled for automatic upgrades, we have started to upgrade gateway. If you require a faster response, our recommendation would be to manually upgrade your gateway leveraging the URL listed below.

Please find the download link below.

1.13.1.5 Download Link
https://ecostruxureit.com/download-and-set-up-ecostruxureit-gateway/

Please visit our What's New section to obtain release notes as they become available.

Release Notes
https://helpcenter.ecostruxureit.com/hc/en-us/sections/360002440014-What-s-new-in-EcoStruxure-IT-Gat...

Thank You