A high severity vulnerability for Log4j 2 has been detected!

Update, Wednesday 2021-12-15: New files for the supported versions of Authentication Services, Password Self Service, MFA, Signing Service can be found in the respective “Patch release description”.
3.2:
https://phenixid.screenstepslive.com/s/19332/m/91594/l/1495718-patch-release-description
4.0:
https://document.phenixid.net/m/96408/l/1370226-patch-release-description
4.1:
https://document.phenixid.net/m/102865/l/1372681-patch-release-description
4.2:
https://document.phenixid.net/m/106270/l/1447988-patch-release-description

Follow the instructions to replace the file.

——–

Friday 2021-12-10

Today a new CVE was found in open source component Log4j2.

Information about this CVE is found here:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Log4j2 is used in PhenixID products: PhenixID Authentication Services, PhenixID Password Self Service, MFA, Signing Service, Signing Workflow and PhenixID Identity Manager.

To mitigate this threat, add the following parameter to the startup file:
-Dlog4j2.formatMsgNoLookups=true

Authentication Services, Password Self Service, MFA, Signing Service, SigningWorkflow:

On Linux, set the parameter in /bin/start-PhenixID.sh (JAVA_OPTS="${JAVA_OPTS} -Dlog4j2.formatMsgNoLookups=true")
On Windows, set the parameter in /bin/*.vmoptions (-Dlog4j2.formatMsgNoLookups=true)

Identity Manager:
On Linux, use JAVA_OPTS in the file /bin/catalina.sh
On Windows, doubleclick on the file /bin/PhenixIDIMw.exe, and set the parameter on the Java tab.

NOTE: A reboot of the system is required.

An updated version of log4j2 will be included in all future releases. 

In case of any questions, please contact PhenixID Support.