Attention on-premises Epicor ECM customers:
On Monday, December 13, 2021, we sent you an email about a newly discovered vulnerability in SOLR. We are following up with today’s email because a vulnerability was discovered yesterday in Monday’s recommended fix to address log4j vulnerability CVE-2021-44228. See this link for additional details.
Epicor ECM uses Apache SOLR as its indexing server. The default SOLR configuration uses one of the vulnerable logging patterns.
Until SOLR releases a recommendation or a fix, we recommend on-premises ECM customers turn off logging in SOLR entirely.
• Logging can be disabled from the SOLR Admin panel by setting root, com, and org to OFF: See Configuring Logging instructions and screenshot below.
• To access the SOLR Admin panel you can check the SOLR URL in the DocStar Server Configuration application, and then change the settings in the SOLR Logging tab. See also our knowledgebase article.
If you have specific questions about the enclosed, please call customer support at 866.243.2240. As always, thank you for being a valued Epicor ECM customer!
With the Canary Token mentioned above or this service I just heard about on Security Now, any user can test any software on their own. Be careful about running it services that you don’t own since it will look like an attack. Get permission first.
Sorry for the delay on the EKM product. We are getting a KB written up for this now. The delay has been getting these details from the 3rd Party (SAP). EKM leverages Tomcat and hence requires the following actions to mitigate.
Go to TOMCAT\bin folder Execute Tomcat9w.exe Go to Java tab Enter “-Dlog4j2.formatMsgNoLookups=true” to the Java options Restart Tomcat
@Edge - Can Epicor at least list the various modules for OnPrem, and give a status of “Vulnerable, Fix WorkAround, NotVoln, Investigating”? I’m sure a ton is going on behind the scene, but a generic statement of “wait for a KB” doesn’t lend confidence, especially since it’s not pushed out to the customers (we’re left clicking search “Log4j” in Epicare multiple times a day, to see if anything more has been shared). If cloud has already been secured per the splash message, please share the same steps for on-prem, so we can do the same.
Yes we are working on one KB that outlines everything that should be online soon. I can share that we only have ECM On premise SOLR configuration as a confirmed issue with a workaround configuration. With EKM (we are still investigating if it is able to exploit, but shared the guidance re configuration as above). CPQ and ECC use Elastic Search that has been patched in cloud and not provided on premise. All other products are not impacted by CVE-2021-44228 as of writing.
