Apache Log4j remote code execution vulnerability CVE-2021-44228 with Spider OneSearch rely on Enterprise Service Infrastructure (ESI)

Apache Log4j remote code execution vulnerability CVE-2021-44228 with Spider OneSearch rely on Enterprise Service Infrastructure (ESI)

Summary

A critical vulnerability in Apache Log4j impacting versions from 2.0-beta9 to 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.

Enterprise Service Infrastructure (ESI) has been identified as a potentially exposed component. ESI is installed in addition to Spider to use the Spider OneSearch functionality. Spider instances using OneSearch (which therefore rely on ESI) have a search bar in the upper right corner.

Spider itself is not affected if OneSearch/ESI is not used.

We recommend deactivating OneSearch and uninstalling Enterprise Service Infrastructure (ESI).
This article shows what steps are required to do this.

Is Spider OneSearch configured?

 The Spider Admin Tool can be used to find out whether Spider OneSearch is configured.

  • Please open Spider Admin, connect the Spider database.
  • Choose “Spider Core” from the menu and click on “Config”
  • From the tree view on the left navigate to the “Config / Application / Indexing” node.
    You find it when expanding the Application node.
  • Check the key “Enabled”

jborchers_0-1639477357346.png

 

The value “False” means that OneSearch is not activated. You can then continue with the step "Check whether the Enterprise Service Infrastructure is installed?".

The value “True” means OneSearch is enabled and should be disabled. Please change the value to False and continue with the following steps. This disables OneSearch and the indexing functionality.

Check whether the Enterprise Service Infrastructure (ESI) is installed?

To find out whether Enterprise Service Infrastructure (ESI) is installed, please look under Windows "Programs and Features" for the name "Brainwaregroup ESI" from the publisher "brainwaregroup".

jborchers_1-1639477357354.png

 

There are two ways to proceed:

  1. Uninstall Enterprise Service Infrastructure (ESI)
  2. or switch-off the Enterprise Service Infrastructure (ESI)

How to uninstall Enterprise Service Infrastructure (ESI)?

The uninstall can be started under Windows "Programs and Features".

Select the program "Brainwaregroup ESI" and start the uninstall process. Please ensure that indexing is deactivated in the Spider config (Enabled = False), as described above. 

jborchers_1-1639478092845.png

jborchers_2-1639478092850.png

jborchers_3-1639478092857.png

jborchers_6-1639478221134.png

As a result of the changes you may logon to Spider and navigate to "Information about index" in the System menu. You should be greeted by a mostly empty page saying, that the Index has been deactivated. The OneSearch search bar in the upper right corner has disappeared.

jborchers_4-1639477357383.png

How to switch-off Enterprise Service Infrastructure (ESI)?

As an alternative to uninstalling, ESI can be deactivated.

  • The corresponding Microsoft IIS Application Pool must be stopped
  • Stop the service “index GlassFish Server” and switch startup type to “Manual”

 To stop serving the Index with IIS on the Application Server:

Start IIS Management console and navigate to the Application Pool belonging to the indexing application. It should contain the string “IndexAppPool”. Stop the application pool.

jborchers_4-1639478092869.png

Now the connection between Spider and the Elastic Search on the Glassfish server is switched-off.

The last item running and potentially threatening your system is the Indexing server itself. You find it as running Service named index GlassFish Server.

Stop this service and choose to start this service manually to prevent it from restarting.

jborchers_3-1639477357381.png

 

Now the Indexing Service is stopped and no information is passed from Spider to this service or vice versa. The Service itself cannot be addressed internally anymore because it is no longer running.

As a result of the changes you may logon to Spider and navigate to "Information about index" in the System menu. You should be greeted by a mostly empty page saying, that the Index has been deactivated. The OneSearch search bar in the upper right corner has disappeared.

jborchers_4-1639477357383.png

 

Labels (4)
Was this article helpful? Yes No
No ratings
Comments

hi,

i choosee the path of deactivating.

Is the presence of a service called "Glassfish..." a must. Can't find it as a service.

 

regards

hans

@HPMeyer 

Same here, no  index GlassFish Server Service on our Servers!

 

Thank you for asking.

Glassfish Server Service is included in Enterprise Service Infrastructure (ESI). And ESI is an optional add-on installation for Spider to use OneSearch functionality. Not all customers have installed ESI for the OneSearch capability. 

If no ESI is installed, no action is required. Spider is completely build on Microsoft .NET and no Java code is used in Spider.

On our system we have installed "Brainwaregroup ESI" (Under Control Panel -> Program and Features)  in Version 4.6.0.2088

but no service "index GlassFish Server"


So do i have ESI or not? Its really confusing

 

Brainware ESi is installed, no service with the name Glassfish can be found.

there is another way to verify if ESI OneSearch is active on your system

do you have the active Search window in the top-right hand corner in Spider?

check Spider menu 'Informationen zum Index' - anything in there?

@peter_link 

I have already done every step of your tutorial to fix the problem. only the last step, disabling the service "index GlassFish Server" fails because I can not find it on the server.

therefore also the question if this is a problem if the service "index GlassFish Server" is not present.

 

the search bar in the upper right corner has disappeared, also the message at "information about the index" shows that the service is deactivated.

Thanks for this guideline!

 

I checked our system:
- I can't find "Brainwaregroup ESI" (under Control Panel -> Program and Features)
- I can't find "index GlassFish Server" service
--> so all great, because we haven't installed ESI (am I right?)

 

But we are using "Spider Data Collector". Is it the same as "Spider" software, because I don't have "Spider Admin" on our server. Therefore I'm not able to follow these steps.

 

Thanks in advance!

BR Hannes

PS C:\Windows\system32> Get-Service -Displayname "*brain*"

Status Name DisplayName
------ ---- -----------
Running indexproxy brainwaregroup ESI

There is no service called "Elastic" or "Lucene" or "index GlassFish Server"

The Display name on our server for this service is " brainwaregroup ESI"

The description is: "GlassFish Server" and the path "C:\Spider\ESI\3rdparty\payara-4.1\glassfish\domains\index\bin\indexproxyService.exe"

 

so i think you meant to deactived this service, right?

 

spider_service.PNG

@peter_link great, thanks for your help!

But I'm not sure if there is a difference between the "Spider Data Collector" (we are using) and the "Spider" software (you speak to).

 

Thanks,
Hannes

hriedl

 Spider Data Collector collects asset information, it is often installed on a different server

 the Spider Application Server works with the collected asset information

The Brainwaregroup ESI One Search was normally installed on the Spider Application Server, it was used to find information a bit quicker

@peter_link  Okay, great. Thanks for your help!

MartinK - yes thats correct, set the service with display name (Anzeigename) brainwaregroup ESI to manual startup, or if you prefer you could also disable it

@@MartinK ,

I could reproduce the path from you 12:33h article. how do i come to the picture (screenshot of properties?) from your article from 12:34h.

best regards

Hans

@HPMeyer 

open "services.msc" and then search for the service "brainwaregroup ESI" and open its properties!

@MartinK  Thanks!

right-click the service and click on Properties (Eigenschaften)

@peter_link  Problem is your tutorial. there is a missing step to the picture with the glassfish service. You should tell the customer the way via the Brainware ESi Service. 

 

regards

Hans

thanks, I will pass this on

Regards

Peter

Version history
Last update:
‎Dec 14, 2021 11:34 AM
Updated by:
Contributors