On 2021-12-09, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications) was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as “Log4Shell”.
On 2021-12-14 an additional denial of service vulnerability (CVE-2021-45046) was published rendering the initial mitigations and fix in version 2.15.0 as incomplete under certain non-default configurations. Log4j versions 2.16.0 and 2.12.2 are supposed to fix both vulnerabilities.
Siemens is currently investigating to determine which products are affected. As of now, Siemens Documentation Server 2.0.x is affected. Please follow these steps to mitigate the vulnerability:
The next release of the Help Server, 2.1, will be upgraded to a version of elasticsearch that does not contain the vulnerability.
Note: If users have 1.0.x version of the Help Server installed, they should immediately upgrade to the 2.0.x version of the Help Server and then apply the fix described above. The latest version can be downloaded here. Please contact the Saratech support team if you have questions.