EcoStruxure IT forum
Schneider Electric support forum about installation and configuration for DCIM including EcoStruxure IT Expert, IT Advisor, Data Center Expert, and NetBotz
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-12-11 06:44 AM
I have not seen any postings, nor received any emails from APC regarding CVE-2021-44228.
Are the ExcoStructure IT Gateway Server or the Database Server affected?
What mitigation steps, if any, are necessary?
Are we in the clear?
Thanks!
Larry
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-12-14 12:46 PM
From the Support crew:
We are happy to announce that we have release our latest version of the EcoStruxure IT Gateway to specifically address the latest Log4j2 vulnerability(CVE-2021-44228). For gateways that are enabled for automatic upgrades, we have started to upgrade gateway. If you require a faster response, our recommendation would be to manually upgrade your gateway leveraging the URL listed below.
Please find the download link below.
1.13.1.5 Download Link
https://ecostruxureit.com/download-and-set-up-ecostruxureit-gateway/
Please visit our What's New section to obtain release notes as they become available.
Release Notes
https://helpcenter.ecostruxureit.com/hc/en-us/sections/360002440014-What-s-new-in-EcoStruxure-IT-Gat...
Thank You
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-12-12 01:09 PM
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-12-12 01:09 PM
I believe the answer is yes because the Apache version installed on our site in vulnerable to this CVE.
Would be nice to have an answer.
I am shutting down this application today.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-12-13 05:36 AM
Hello @LarryK ,
No, the version of log4j used in the current version of DCE is not vulnerable according to the CVE. We are still awaiting any official company-wide response from our PSO office which, when available, should be posted here:
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
Thanks,
Steve
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-12-13 05:44 AM . Last Modified: 2021-12-14 12:24 AM
Hi Larry,
Engineering team is currently investigating whether the current Gateway is actually vulnerable in its configuration. It is not believed so at the moment. Will get back to this post as soon as we have more updates.
Kind regards,
Jef
-----
update,
When ITE gateway is installed, it does include a version of log4j (2.14.0.1) which is included in the vulnerability list, however the gateway software runs on the java platform which is configured to disable remote service calls, thus its not possible to execute the exploit from gateway unless someone manages to change gateways java configuration.
The gateway team is testing a gateway update which includes updated log4j release to close this vulnerability permanently.
Kind regards,
Jef
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-12-14 12:46 PM
From the Support crew:
We are happy to announce that we have release our latest version of the EcoStruxure IT Gateway to specifically address the latest Log4j2 vulnerability(CVE-2021-44228). For gateways that are enabled for automatic upgrades, we have started to upgrade gateway. If you require a faster response, our recommendation would be to manually upgrade your gateway leveraging the URL listed below.
Please find the download link below.
1.13.1.5 Download Link
https://ecostruxureit.com/download-and-set-up-ecostruxureit-gateway/
Please visit our What's New section to obtain release notes as they become available.
Release Notes
https://helpcenter.ecostruxureit.com/hc/en-us/sections/360002440014-What-s-new-in-EcoStruxure-IT-Gat...
Thank You
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.