Search
Close this search box.

IMPORTANT NOTICE – Log4Shell Vulnerability

Update 14-01-2021

On Dec. 28, 2021 a new vulnerability in the Apache Log4j component affecting versions 2.17.0 and earlier was disclosed. CVE-2021-44832 (https://nvd.nist.gov/vuln/detail/CVE-2021-44832). The issue was fixed in Log4j 2.17.1. After thorough investigation by our security team we concluded that the found vulnerability does not apply to the EyeQuestion application. Nevertheless we advise to update to the latest version of Log4j 2.17.1 or the latest version of EyeQuestion.

Please follow the update process below but instead use the libraries 2.17.1 which can be downloaded from

https://eyequestion.nl/wp-content/uploads/2022/02/log4j-2.17.1.zip

 

 


 
Update 24-12-2021

It is important to know (relevant for On Premise clients only) that the EyeQuestion server system also contains a eq.war file. This is the original installation file and is not the actual application. That means that after you have applied the necessary patches, the original application is still in this WAR file. With the original Log4J-file. That is not relevant as long as you do not perform a complete new installation. If you do, you simply have to do the patch instructions on this page again.

 


 

Update 20-12-2021

On Dec. 18, 2021, a new third Log4j Security Vulnerability was discovered CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046).
Apache Log4j through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0.

Please follow the update process below but instead use the libraries 2.17.0 which can be downloaded from

https://eyequestion.nl/wp-content/uploads/2021/12/log4j-2.17.0.zip

 

 


 

Update 17-12-2021

On Dec. 14, 2021, a new second Log4j Security Vulnerability was discovered CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046).
This vulnerability has been discovered due to an incomplete fix in Log4j 2.15.0 that was updated version with a fix for the first security issue.
In response of this new Vulnerability, a new version of Log4j (2.16.0) has been released that by default disables JNDI functionality, which was the source of the original issue.

In the previous message we asked our On-Premise clients to replace the existing log4j-core-2.8.2.jar with the version that we provided.
This version has the same name, but we removed the org/apache/logging/log4j/core/lookup/JndiLookup.class from this log4j-core-2.8.2.jar as suggested by Apache Log4j (https://logging.apache.org/log4j/2.x/security.html) to be a workaround to mitigate the immediate risk.

Our original patch mitigated the immediate risk but disabled the logging. The steps below enable the logging again.

 
1. Download the following zip containing the four 2..16.017.0.1 jar files related to Log4j (they are the original files coming from the Apache Log4j Site):
https://eyequestion.nl/wp-content/uploads/2021/12/log4j-2.16.0.zip https://eyequestion.nl/wp-content/uploads/2021/12/log4j-2.17.0.zip

https://eyequestion.nl/wp-content/uploads/2022/01/log4j-2.17.1.zip

Unzip this zip and that should result in 4 separate files:
  • log4j-core-2.16.017.0.1
  • log4j-api-2.16.017.0.1
  • log4j-slf4j-impl-2.16.017.01
  • log4j-jcl-2.16.017.0.1
  
2. Stop the Tomcat service
 
3. Remove the Tomcat cache by deleting content of the tomcat\work directory.
 
4. Navigate to tomcat\webapps\eq\WEB-INF\lib and delete the four old log4j jar files (either version 2.8.2, 2.15.0 or 2.16.0)
REMOVE
  • log4j-core-2.8.2
  • log4j-api-2.8.2
  • log4j-slf4j-impl-2.8.2
  • log4j-jcl-2.8.2
  
5. Add the four files that were just downloaded to this folder
ADD
  • log4j-core-2.16.017.0.1
  • log4j-api-2.16.017.0.1
  • log4j-slf4j-impl-2.16.017.0.1
  • log4j-jcl-2.16.017.0.1
  
6. Locate the EyeQuestion customer directory (this is different from the Tomcat directory). It can usually be found at C:/EyeQuestion/Customer. It can be recognized by the setup.properties-file that’s inside it. If you’re having trouble finding it, you can find it by:
  1. go to the application folder C:\Program Files\EyeQuestion\tomcat\webapps\eq\WEB-INF
  2. find the web.xml.
  3. On line 6 you find the Customer folder
    C:/EyeQuestion/Customer this is the path to the EyeQuestion customer folder. The exact path can be different in your situation.
 

7. Once you have the path to the EyeQuestion customer folder, navigate to tomcat\webapps\eq\WEB-INF\classes and edit the log4j2.xml file.

 
8. On line 5 of this log4j2.xml file, REPLACE ${jndi:CUSTOMERDIR} with the customer folder path you found in step 4.
It should now look something like this:

C:/EyeQuestion/Customer

 

9. Start Tomcat again

We also have new versions available of EyeQuestion 4 and 5 with the new libraries. These new versions will be communicated with our On-Premise clients individually. As our clients have different versions the instructions will be different per client.

 

 


 

Update 16-12-2021

On Dec. 14, 2021, a new second Log4j Security Vulnerability was discovered CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046).
This vulnerability has been discovered due to an incomplete fix in Log4j 2.15.0 that was updated version with a fix for the first security issue.
In response of this new Vulnerability, a new version of Log4j (2.16.0) has been released that by default disables JNDI functionality, which was the source of the original issue.

We are currently testing this new 2.16.0 version and adapting our application to work with this new library.

Until there is a new EyeQuestion version there is no NEW action needed for our On-Premises clients.

In the previous message we asked our On-Premise clients to replace the existing log4j-core-2.8.2.jar with the version that we provided.
This version has the same name but we removed the org/apache/logging/log4j/core/lookup/JndiLookup.class from this log4j-core-2.8.2.jar as suggested by Apache Log4j (https://logging.apache.org/log4j/2.x/security.html) to be a workaround to mitigate the immediate risk.

 

 


 

Update 13-12-2021

Regarding the major security issue with Log4J that affects most companies in the world quite seriously,
we have sent out the following email to our clients last weekend:

 

Dear client,

Yesterday we reached out to all our On-Premise clients regarding a critical security issue identified in JAVA. Because we would like to be absolutely sure everybody affected received this message and has taken the appropriate action we now share this message with all our clients. This critical security issue requires immediate action from our On-Premise clients, if you have applied the patch already then please confirm the patch was applied in an email.

On December 9th security officers identified a security issue in a component of JAVA. JAVA is a programming language used for the vast majority of software applications in the world. We also use this language for our EyeQuestion software. Overall this resulted in a tremendous amount of companies worldwide facing a critical security issue. We are unfortunately not an exception. To keep working with EyeQuestion safely we need to take immediate action. This email explains what the security issue is, what we already have done and what action you might need to take as soon as possible.

 

Technical Background

On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild.

The vulnerability, also nicknamed Log4Shell, can be exploited by forcing JAVA-based apps and servers, where the Log4j library was used, to log a specific string into their internal systems. The issue was reported under CVE-2021-4422 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) and has a score of 10/10 on the CVSSv3 severity scale. This library is used by most JAVA applications, EyeQuestion also makes use of this library.

 

Recommendations

As EyeQuestion also makes use of this library, we have been investigating this and came up with the following recommendations for our SAAS clients (running EyeQuestion on an EyeQuestion server) and our On-Premise clients (running EyeQuestion on a company owned server):

 

EyeQuestion SAAS clients (NO ACTION REQUIRED)

If you are an EyeQuestion SAAS client then you do not have to take immediate action as our SaaS services are running behind Cloudflare WAF and Cloudflare has immediately added Firewall rules to mitigate the risk. At this moment working with EyeQuestion is safe and you do not need to take any action.

 

EyeQuestion On-Premise clients (IMPORTANT: TAKE IMMEDIATE ACTION)

As this is a high vulnerability risk, immediate action is necessary. We are not in control of your environment and cannot guarantee that you can use EyeQuestion safely at this moment. If you are running behind a WAF that has mitigated the risk you do not have to take immediate action and can wait for a new release. But if you are not running EyeQuestion behind a WAF that can deal with this issue or you are not sure if it has been dealt with, we suggest you to take the following action as quickly as possible:

  1. Download the following file from our website using the link below (log4j-core-2.8.2.zip) and extract the log4j-core-2.8.2.jar file:
    https://eyequestion.nl/wp-content/uploads/2021/12/log4j-core-2.8.2.zip
  2. Replace the current file log4j-core-2.8.2.jar that can be found at C>Program Files>EyeQuestion>tomcat>webapps>eq>WEB-INF>lib (or another location where Tomcat and EyeQuestion is installed in your situation) with the file you downloaded.
  3. After replacing the current file with the new version, please restart the Tomcat server.
  4. This quick patch is to mitigate the immediate risk by removing the org/apache/logging/log4j/core/lookup/JndiLookup.class part of the log4j that can cause the issue and we will supply a more permanent solution in the new release after we have tested everything with the new suggested library.

Again, this message is very important for On-Premise clients. Please take immediate action as this is a major security issue and hackers worldwide have already started exploiting it. If you cannot take action yourself, please contact your IT manager or system manager to take immediate action for you and make sure they receive and read this email.

If you are not the main contact person for EyeQuestion please let us know who we should list as contact person. In situations like this time is of the essence, and it is in yours and our best interest to be able to reach the correct person immediately in case of a critical security issue.

If you have any questions, please feel free to contact our support desk at [email protected]

We will keep you posted on any new information.