I would think that Epicor Knowledge Mentor is affected. They are also running on Apache Tomcat.
@jkane is correct. Docstar uses Apache Log4J for it’s indexing service ‘solr’.
Got my patch instruction email late yesterday. Contents as follows:
(sorry for the rough formatting - the email formatting is goofy and this looks better than plain text)
Epicor ECM (the new name for DocStar)
December 13, 2021
Attention Epicor ECM (DocStar) customers:
In order to mitigate the [CVE-2021-44228 vulnerability](https://click.icptrack.com/icp/relay.php?r=96898829&msgid=2682199&act=DB51&c=939003&destination=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2021-44228&cf=16735&v=9a8c79212d3367fb3f5861bf2a15d4318b312ac460b37f1bdbf4cfe3b43cfaf2), your ECM server needs to be updated.
Epicor ECM uses Apache SOLR for document indexing. Apache Solr is affected by Apache Log4J CVE-2021-44228.
To mitigate:
1. On your ECM server, locate the file: C:\\Program Files\\Astria Solutions Group\\Eclipse Solr\\Solr\\bin\\solr.in.cmd
2. Edit the solr.in.cmd file and add the following entry to the end of the file:
set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
3. Restart SOLR
Additional Details:
* [Apache Solr Security News](https://click.icptrack.com/icp/relay.php?r=96898829&msgid=2682199&act=DB51&c=939003&destination=https%3A%2F%2Fsolr.apache.org%2Fsecurity.html%23apache-solr-affected-by-apache-log4j-cve-2021-44228&cf=16735&v=6e3712434fafcfbf9de3327d6e5f20ec3ff1c7d2d6832027c97a028b2af10e08)
* [National Vulnerability Database](https://click.icptrack.com/icp/relay.php?r=96898829&msgid=2682199&act=DB51&c=939003&destination=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2021-44228&cf=16735&v=6b338142b6499a3dd4389c6a0d69b42d3c6d0392a9148ca3d9514aa1117f62ff)
* [LunaSec](https://click.icptrack.com/icp/relay.php?r=96898829&msgid=2682199&act=DB51&c=939003&destination=https%3A%2F%2Fwww.lunasec.io%2Fdocs%2Fblog%2Flog4j-zero-day%2F&cf=16735&v=da363edf39aebae12990da29a2c5902806c6927bd309d1782068b0a9011f60ed)
If you have specific questions about the enclosed, please call customer support at 866.243.2240.
As always, thank you for being a valued Epicor ECM customer!
I’m late to this party but Elastic Search is a big one on peoples’ websites - if your eComm provider doesn’t patch this it could provide a vector into (in our case) Service Connect, despite ESC itself being unaffected. They patched it before we found it in our case but worth checking.
Also anyone on prem - we found it in VMWare and our implementation of Ono, and of course in all our UniFi switches. Not Epicor exactly but if you’re our size or smaller you may well wear the security hat too.
Direct email to me. Not sure what lists I’m on any more, but I’m on a lot of them!
Looks like it’s the “Epicor ECM On-Premises” list on Docstar’s iContact list server. I cannot find how I signed up to that list, and it’s the first email that I can think of that I’ve received from that list.
Would anybody know if Bartender or Doclink APM be affected by it.
From their website:
Thanks Doug for the update.
We just found that DocStar ECM has a vulnerability it’s Apache Solr component. Support had me edit the solr.in cmd file to mitigate for now. Still waiting on clarification on the KB. They attached an internal KB (KB0118090) but it’s not available on EpicCare.
Edit- I see Mr. Gross already posted on this. On prem and received nothing from Epicor on it. Found via our regular Tenable scans.
Does Epicor push notifications out when a vulnerability has been discovered? I see @MikeGross got a notification from DocStar directly. I haven’t quite figured out exactly how to make it onto that ListServ, but i would love these notifications. I see that there is a general statement on Epiccare now, but it doesn’t link back to the resources that tell you how to patch the vulnerability. Worse, it doesn’t include a statement on integrations. With DocStar being an Epicor product I would have expected that.
Let me know if I am missing something that I should be subscribing to…
Update: added a suggestion for improvement: Idea KNTC-I-2178 created
https://epicor-manufacturing.ideas.aha.io/ideas/KNTC-I-2178
@psiebers I even tried to backtrack that list and checked on Epiccare and Epicweb to see fi there is something I could find to link to in my post above - could not find it. I just searched again and still cannot.
If we knew who, inside Epicor, could help with this I’d be happy to share the email with them to help us figure it out?
Anyone with Epicor Marketing on this site?
I found this thread through a Google search and then went to EpicCare and have entered a couple of cases, one for Docstar and one for Kinetic. I may have to enter another for Mattec, and another for QuickShip…
They provided the same instructions as above for Docstar (slightly more detailed, which is good as I’m brand-new to Epicor)
I also fired off an email to our project manager, since we’re still in implementation.
What I really wanted to say here was this: the mitigation provided only works if the version is >= 2.10.0 and I have no idea if that is true.
I got the “Product Alert” as well. To my knowledge I’ve never signed up for anything with ECM/Docstar.
EDIT: Our corporate president also got the alert. It has to be something with the licensing. We were the only two that had our e-mails connected when we first got ECM/Docstar
This proves again the value of this forum… I found out we possibly had an Epicor related vulnerability prior to it becoming an issue and I am looking at Tenable for future detection of these type of threats.
Not Epicor but if you use Informatica they use log4j I’ve asked them if they’ve patched it yet. It’s SaaS so hopefully they have. I tried to open their KB article but it’s not opening for me (LOL): Support
Thinkst, the people behind canarytokens.org, have created a canary token that you can use to test systems for the Log4Shell vulnerability:
Goto the bottom of the Generate list and choose Log4Shell. It generates a GUID for you and you paste that into a field and submit it. If the system is vulnerable then it will notify you.
I just received another notification from Epicor regarding ECM/Docstar. There may be more you need to do to fix it.
https://epiccare.epicor.com/epiccare?id=epiccare_kb_article&sys_id=KB0118090
I didn’t get the email either. Thank you!
Do you know if there is any remediation required for IDC?
Do not know about IDC 100%, but I think not given it’s architecture does not include the Apache product.