Apache Log4j Vulnerability: Siemens Documentation Server 2.0.x is Affected

On 2021-12-09, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications) was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as “Log4Shell”.

On 2021-12-14 an additional denial of service vulnerability (CVE-2021-45046) was published rendering the initial mitigations and fix in version 2.15.0 as incomplete under certain non-default configurations. Log4j versions 2.16.0 and 2.12.2 are supposed to fix both vulnerabilities.

Siemens is currently investigating to determine which products are affected. As of now, Siemens Documentation Server 2.0.x is affected. Please follow these steps to mitigate the vulnerability:

1. In Task Manager, go to the Services tab and stop the SiemensPLMElasticSearchServer service by right-clicking on the service and selecting Stop.
2. Navigate to the install directory, typically C:\Program Files\Siemens\Help Server
3. Go to \elasticsearch-6.6.2\config
4. Open jvm.options file in a text editor such as Notepad++
5. Search for # log4j 2 (line 85)
6. Add the following -Dlog4j2.formatMsgNoLookups=true (as line 88).
7. Save and close the file.
8. Restart the SiemensPLMElasticSearchServer service by right-clicking on the service and selecting Start.

The next release of the Help Server, 2.1, will be upgraded to a version of elasticsearch that does not contain the vulnerability. 

Note: If users have 1.0.x version of the Help Server installed, they should immediately upgrade to the 2.0.x version of the Help Server and then apply the fix described above. The latest version can be downloaded here. Please contact the Saratech support team if you have questions.