Product Shortcuts

Page History

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

...

ApplicationInsights, ConnectionsExpert, iDNA, and iDNA Applications use some Log4j directly. We will remove Log4j completely to resolve this and reliably prevent any further issues.
GreenLight, iDNA Applications, and OfficeExpert include Metabase which uses Log4j. We will update the Metabase version in all these products to a safe release.

Note

title	Regarding Metabase

Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0 and protects from the remote code execution exploit).

The more recently discovered CVE-2021-45046 requires Log4j 2.16.0 for which no Metabase release is available yet.
However: this newer CVE is far less critical, and according to Metabase developers it should not even be affected by it. Still, we are waiting for a new Metabase version and will create new releases once it is available just to be as safe as possible.

If you are uncomfortable with CVE-2021-45046, you can manually turn off Metabase for now:

Connect to the appliance with ssh or putty
For GreenLight:
Code Block
docker stop gl_metabase
For OfficeExpert and iDNA Applications:
Code Block
docker stop panagenda_metabase

Overview and Status

Product	CVE-2021-44228	Fix Status	Fix Release	CVE-2021-45046	Fix Status (all CVEs)	Fix Release	How To Upgrade
ApplicationInsights	vulnerable - fix available	released - Dec 14	1.6.3	vulnerable - fix available	released - Dec 14	1.6.3	Upgrade ApplicationInsights (≥ v1.5.1)
ConnectionsExpert 2.x	vulnerable - fix available	released - Dec 15	2.1.3	vulnerable - fix available	released - Dec 15	2.1.3	Upgrade ConnectionsExpert (> v2.0)
ConnectionsExpert 3.x	vulnerable	in testing	3.0.2	vulnerable	in testing	3.0.2	Upgrade ConnectionsExpert (> v2.0)
GreenLight	vulnerable - fix available	released - Dec 15	4.5.0	vulnerable - fix available	released - Dec 15	4.5.0	Upgrading GreenLight - only for >=3.5.x
				Metabase potentially vulnerable¹⁾	waiting for Metabase	4.5.1
iDNA	vulnerable	in testing	2.11.1	vulnerable	in testing	2.11.1	please contact support
iDNA Applications	vulnerable - fix available	released - Dec 13	2.1.2	vulnerable - fix available	released - Dec 13	2.1.2	Upgrading iDNA Applications
				Metabase potentially vulnerable¹⁾	waiting for Metabase	2.1.3
MarvelClient	safe			safe
OfficeExpert	vulnerable - fix available	released - Dec 14	4.3.3	vulnerable - fix available	released - Dec 14	4.3.3	Upgrading OfficeExpert
				Metabase potentially vulnerable¹⁾	waiting for Metabase	4.3.4
OfficeExpert EPM	safe			safe
SecurityInsider / GroupExplorer	safe			safe
SmartChanger	safe			safe

Document Properties Plugin	safe			safe
LogViewer Plugin	safe			safe
Network Monitor Plugin	safe			safe
PrefTree Plugin	safe			safe
Tabzilla Plugin	safe			safe
Timezone Helper Plugin	safe			safe

^{1) See info box "Regarding Metabase" above the table}

Note

title	Regarding Metabase

Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0 and protects from the remote code execution exploit).

If you are uncomfortable with CVE-2021-45046, you can manually turn off Metabase for now:

Connect to the appliance with ssh or putty
For GreenLight:
Code Block
docker stop gl_metabase
For OfficeExpert and iDNA Applications:
Code Block
docker stop panagenda_metabase

What happens now? What do I need to do?

...

Content

Space Tools

OfficeExpert

MarvelClient

iDNA Applications

ConnectionsExpert

SecurityInsider

Versions Compared

Old Version 30

New Version 31

Key

Overview and Status

What happens now? What do I need to do?