Priority and severity ratings are determined as described here.
| Date | Update |
|---|---|
| 2021-12-21 10.39 | New version of Lime BI is now available. |
| 2021-12-21 08.30 | Simplified Lime BI mitigation instruction. |
| 2021-12-20 08.48 | Added info regarding CVE-2021-45105. |
| 2021-12-15 12.29 | Added info regarding CVE-2021-45046. |
| 2021-12-13 16.25 | A patch has been published and is available to mitigate the vulnerability. |
| 2021-12-13 15.48 | A patch has been created and is being validated. |
| 2021-12-13 11.42 | Updated info regarding Elasticsearch. |
| 2021-12-12 20.24 | Page created. |
A high severity vulnerability (CVE-2021-44228) in the widely used Java logging framework Apache Log4j has been disclosed. Log4j is not directly used in Lime CRM, but it is used via third party components in the following system services:
A related vulnerability (CVE-2021-45046) was disclosed 2021-12-14. Lime BI is not affected by this vulnerability. Applying the patch for Lime CRM (below) will also remediate any possible vulnerability to CVE-2021-45046.
Yet another vulnerability (CVE-2021-45105) was disclosed 2021-12-16. Applying the existing Lime CRM patch (below) will remediate the vulnerability (denial of service). No mitigation exists for Lime BI, await official update.
| Product | Version | Platform |
|---|---|---|
| Lime CRM | ⇐ 2021.1.523 | On-premises |
| Lime BI | < 3.32.0 | On-premises |
Updated installers for Lime CRM and Lime BI will be released when ready. Until then perform mitigation actions as detailed below.
General details about the vulnerability can be found online, for example at:
Details regarding how Elasticsearch is affected can be found here.
There are patches available for both Lime CRM and Lime BI. Depending on which service you are using both need to be applied.
Download and execute the Python script found here. The script supports all versions of Lime CRM and needs to be run with admin privileges. It will automatically remove the vulnerability from the log4j library. Note that the Lime CRM Search Engine service will be restarted.
Usage:
patch-log4j-cve-2021-44228.py script to a temporary folder on the Lime CRM server."C:\Program Files (x86)\Lundalogik\procmd.bat"
python "c:\path\to\patch-log4j-cve-2021-44228.py"
If the installation is not located at C:\Program Files (x86)\Lundalogik\ the following command can be used to specify the correct location:
python "c:\path\to\patch-log4j-cve-2021-44228.py" --installdir "x:path\to\LIME Pro Server"
If the patch is successful the script will output The patch has been applied in green text.
An update of Lime BI is available which can be installed by updating to v3.32.0 or later. This update removes the vulnerability and enables the mitigation below. Note that the installer needs to be re-run as well in order to fully upgrade to the latest version.
For on-premises installations of Lime BI that cannot be updated to the latest version, the vulnerability can be mitigated by modifying Java runtime options. Execute the following command:
"C:\Program Files (x86)\Lundalogik\Python3\Lib\site-packages\nssm\bin\win64\nssm.exe" set lime-crm-bi AppParameters "-Dlog4j2.formatMsgNoLookups=true -jar ""c:\Lime BI\metabase.jar"""
Then restart the Lime BI service:
net stop lime-crm-bi net start lime-crm-bi