Versions Compared

Old Version 6

changes.mady.by.user Steinar Skjerven

Saved on

compared with

New Version Current

changes.mady.by.user Steinar Skjerven

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This article contains a list of known security vulnerability reports in Ayfie products.

How to report security vulnerabilities

You may file your request at https://ayfie-dev.atlassian.net/servicedesk/customer/portal/8 or by email to support-nordics@ayfie.com.

Recent security vulnerabilities

Below is a list of already announced CVE security vulnerabilities. Note that CVEs security vulnerabilities prior to 2021-12-10 is not listed

...

are not listed. Security vulnerabilities after 2022-08-12 are listed in the release notes of the products/services.

...

Date

Announcement

CVE-2021-44228

2021-12-10

https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2889547777/Security#2021-12-10,-Locator-and-Supervisor-affected-by-Apache-Log4J-CVE-2021-44228

2021-12-10, Locator and Supervisor affected by Apache Log4J CVE-2021-44228

Severity: Critical

Versions Affected: Locator 2.x and 3.x

Description: Locator releases prior to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .

Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423

Locator releases prior to 2.11.903 were using a bundled Solr that were using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126  for discussion.

Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.

Mitigation: 

For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:

  • Upgrade to Locator 3.3.2 or greater (when available), which will include an updated version of Solr.

ZooKeeper mitigation to be announced if any is needed.

For Locator 2.x any of the following are enough to prevent this vulnerability for Locator servers:

  • Upgrade to Locator 2.11 SR9 or greater (when available), which will include, set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true in solr.cmd.in by default.

  • Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true and perform a restart of the Locator Index Service. solr.in.cmd is located in <Program Files>\ayfie\Locator\SOLR\bin\.

Description

Affected

Not affected

2022-08-12

Security vulnerability in Ayfie Saga metrics UI (Grafana)

  • All other products.

2022-08-12

Security vulnerability in Ayfie Saga metrics UI (Grafana)

  • All other products.

2022-07-04

Security vulnerability in Ayfie Saga metrics UI (Grafana)

  • All other products.

2022-04-29

Security vulnerability in Ayfie Saga platform gateway

  • All other products.

2021-12-10

Security vulnerability found in Log4j that might allow execution of malicious remote code.

  • Supervisor

  • ViaSuggest

  • AppSearch

  • Haive Enterprise Search