Table of Contents
We were made aware of the recently reported vulnerability in Log4j2 vulnerabilities - NVD - CVE-2021-45105 (nist.gov) and NVD - CVE-2021-44228 (nist.gov) within Apache environments. Log4j, an open-source logging library, is incorporated into many popular frameworks, making the impact widespread.
Frequently Asked Questions
What do these vulnerabilities do?
A remote attacker can exploit the vulnerabilities to execute arbitrary code through log messages.
What versions of the Intranet software are impacted?
Only version 15.0 (all patches) is impacted by the CVE-2021-45105 and CVE-2021-44228 Log4j2 vulnerabilities. No vulnerabilities have been spotted in lower versions of our software by IC Thrive development or the development community.
I have log4j-1.2.17.jar file on my server and I'm not on version 15.0, am I at risk?
No, only customers on version 15.0 (all patches) are affected by this Critical vulnerability. No vulnerabilities have been spotted in lower versions of our software by IC Thrive development or the development community.
It is recommended to update to version 2.17 of the jar files, will you be supplying a fix for older versions?
This Critical vulnerability was determined to only affect version 15.0 (all patches) of our software, no fixes will be provided for older versions. No vulnerabilities have been spotted in lower versions of our software by IC Thrive development or the development community.
How do I find out my version?
As an admin, navigate to the Admin option at the top of the intranet. Near the bottom of the page, you'll find the version of your intranet software. Look to see if it says 15.0.x
Does the provided fix address CVE-2021-45105 and CVE-2021-44228 ?
Yes, these were included within the 2.17 version of the jar files used for the automated fix below.
Fix Update Dec 20, 2021 - Only affects customers on version 15.0 (all patches)
In response to the Log4j2 vulnerabilities CVE-2021-45105 and CVE-2021-44228 within Apache environments, a software we use to power our intranet solution, and impacts only version 15.0, IC Thrive has created an automated solution for updating your software.
Please follow the steps below:
- Save this zip file to the server
- Look for update-es-files-ps.zip at the bottom of the page if this link doesn't work
- Right-click file > click properties > check box beside 'unblock' and click 'apply' - if applicable
- Extract the zip contents to C:\Temp
- Open the update-es-files-ps folder
- Right-click on the start.bat file and select "Run as Administrator"
- This action will open a new command prompt window and log the events of the update process to the screen
When complete, test that the search function is working on your intranet, to ensure that the process has restarted the application.
If the update which we are providing today is not performed within your system, remote attackers could exploit the vulnerability and execute arbitrary code through log messages.
We thank you for your patience as our team worked to create the best solution for you, our valued customers. If you have further questions, please let us know by contacting our Support team.