Security news

We hereby would like to inform you that a vulnerability has been identified in a third-party software component. This vulnerability has not been disclosed publicly yet. 
Only the ATOSS products ATOSS Staff Efficiency Suite and ATOSS Startup Edition are affected by the vulnerability
The vulnerability can be corrected by a fix in the software.

An update is available immediately for your ATOSS product, which contains a corrected version of the software component. 
Our customers of the ATOSS cloud products CLOUD24/7 und Cloud Solution are updated automatically.

We strongly recommend that our customers with On Premises software products install this security update. 
The update can be requested here: Security Update 05/2022.

This week, Oracle informes about vulnerabilites in JAVA
(https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19).

We are currently investigation the details and assessing the risks. The most critical vulnerability reported in the news is CVE-2022-21449. As we are not using any of the affected JAVA versiones (affected is JAVA15 or above, ASES runs on JAVA 11) this vulnerability does not affect the ASES at all. 

We anywhere prepare an update of the JAVA used in our products. This will be done as soon as the distributions are available, expected in the week starting 25.04.22. 

At the end of March 2022 several security vulnerabilities have become known in the widely used Java Spring libraries (CVE-2022-22965, CVE-2022-22963, CVE-2022-22950). The ATOSS products partly also use the Spring libraries. Our experts have examined our products in detail according to the publicly disclosed information. The possible exploitation of the security vulnerabilities requires various preconditions in the way of concrete use. According to our current knowledge, the prerequisites for critical cyberattacks are not fulfilled in the ATOSS products. This applies to the ATOSS Staff Efficiency Suite, ATOSS Time Control, and also to the add-on products AMIS ATOSS Mobile Integration Server and ABC ATOSS Business Connector. Thus, at this point in time, there is no increased risk and no concrete measures are required. 

In the coming days, we will update the Sping libraries in our products to a new status as far as possible in order to also minimize the risk of even more extensive security vulnerabilities. The installation of an update on the customer side is not necessary for the time being. We are continuously monitoring the development and will take further measures if necessary.

As of 28th of December, a new Log4j Medium Severity Vulnerability called NVD - CVE-2021-44832 (nist.gov) was published.

Since that day, our ATOSS specialists have examined these aspects in detail and, according to the current state of best knowledge, they are not able to reproduce any realistic critical threat scenario for our ATOSS products in case of parameterizations within the usual standard. To nevertheless assume a threat situation, unusual configurations would have to have been used combined with a highly privileged user. Furthermore, in some cases internal requirements in the ATOSS products would have to be fulfilled for an attackability, which are not present. 

Against this background ATOSS currently assumes that the ATOSS products are not affected. Nevertheless, ATOSS is preparing further regular updates for the log4j library (version 2.17.1) and thus, our statements that we made in our newsfeeds on 21.12.2021 continue to apply for all ATOSS products.

For the avoidance of doubt,
for all customers – who have already installed the security update dated from 21.12.2021 as customer of the ATOSS Time Control or who have already requested an update as described in our newsfeed from 21.12.2021 as Customer of the ATOSS Startup Edition or ATOSS Staff Efficiency, there is no need for further action until further notice. 

We hereby would like to inform you about our current vulnerability assessment as follows:

Known vulnerability (CVE-2021-44228)

NVD - CVE-2021-44228 (nist.gov)

CVE-2021-44228 is the original highly critical vulnerability "log4shell", which triggered the alert status RED of the BSI. 

Your ATOSS products are also affected by this vulnerability. With our mailing of 13th December 2021, we have already recommended a mitigation of the known risk by appropriate configuration with the parameter Dlog4j2.formatMsgNoLookups=true. 

This configuration setting is strongly recommended until an update containing a new corrected version of the log4j program library is applied. 

According to the published information, the critical functionality is no longer included as of log4j version 2.16.0. Nevertheless, ATOSS is preparing further updates (version 2.17.0).

An update is now available for your ATOSS product that contains a corrected version of the log4j library. 

We strongly recommend to install this update. 

The update can be requested here: Log4j Security Update 12/2021

Known vulnerability (CVE-2021-45046, CVE-2021-45105)

NVD - CVE-2021-45046 (nist.gov)

NVD - CVE-2021-45105 (nist.gov)

These two vulnerabilities have been disclosed because of the original vulnerability (CVE-2021-44228). These are attack possibilities that can only be exploited if additional prerequisites are met. 

Our ATOSS specialists have examined these aspects in detail and, according to the current state of best knowledge, they are not able to reproduce any realistic scenario for our ATOSS products in case of parameterizations within the usual standard. To nevertheless assume a threat situation, unusual configurations would have to have been used. Furthermore, in some cases internal requirements in the ATOSS products would have to be fulfilled for an attackability, which are not present. Against this background ATOSS currently assumes that ATOSS products are not affected.

Nevertheless, we would like to strongly recommend an update to the current version.

An update is now available for your ATOSS product that contains a corrected version of the log4j library. 

The update can be requested here: Log4j Security Update 12/2021.

We hereby would like to inform you about our current vulnerability assessment as follows:

Known vulnerability (CVE-2021-44228)

NVD - CVE-2021-44228 (nist.gov)

CVE-2021-44228 is the original highly critical vulnerability "log4shell", which triggered the alert status RED of the BSI. 

Your ATOSS products are also affected by this vulnerability. With our mailing of 13th December 2021, we have already recommended a mitigation of the known risk by appropriate configuration with the parameter Dlog4j2.formatMsgNoLookups=true. 

This configuration setting is strongly recommended until an update containing a new corrected version of the log4j program library is applied. 

According to the published information, the critical functionality is no longer included as of log4j version 2.16.0. Nevertheless, ATOSS is preparing further updates (version 2.17.0).

An update is now available for your ATOSS product "ATOSS Time Control" that contains a corrected version of the log4j library. 

We strongly recommend to install this update. 

The update is ready for download in the ATOSS weblounge at Release History.

Known vulnerability (CVE-2021-45046, CVE-2021-45105)

NVD - CVE-2021-45046 (nist.gov)

NVD - CVE-2021-45105 (nist.gov)

These two vulnerabilities have been disclosed because of the original vulnerability (CVE-2021-44228). These are attack possibilities that can only be exploited if additional prerequisites are met. 

Our ATOSS specialists have examined these aspects in detail and, according to the current state of best knowledge, they are not able to reproduce any realistic scenario for our ATOSS products in case of parameterizations within the usual standard. To nevertheless assume a threat situation, unusual configurations would have to have been used. Furthermore, in some cases internal requirements in the ATOSS products would have to be fulfilled for an attackability, which are not present. Against this background ATOSS currently assumes that ATOSS products are not affected.

Nevertheless, we would like to strongly recommend an update to the current version.

An update is now available for your ATOSS product "ATOSS Time Control" 

The update is ready for download in the ATOSS weblounge at Release History.

Cybersecurity – security vulnerability in the Java library log4j
(Log4Shell, CVE-2021-44228 and CVE-2021-45046)

As you have almost certainly gathered from the media, a critical IT security vulnerability in the widespread JAVA library “log4j” (CVE-2021-44228) became known on 10 December 2021.

ATOSS is aware of the criticality of this security vulnerability and, immediately after it became known, started to safeguard the ATOSS products and ATOSS Cloud services affected as optimally as possible against potential attack. We are taking this problem very seriously. Our top-class team of developers and IT and Cloud experts are working at full speed to completely close this vulnerability. Our assumption is that we will be able to restore our full defences very quickly. 

What are our reactions to this vulnerability in order to solve the problem?

As a reaction to security problems, we take multi-level defence approaches that are essential to maintaining the security of our customers’ data. 

• In all relevant business units, we have increased the control and detection abilities of our systems and intensified specific monitoring of the concrete attack scenario.
• In parallel, our developers are working on patches/fixes for the ATOSS products, which we will shortly be publishing via the usual release paths depending on further necessary updates of and quality assurance measures to the Java library. 
• We are orienting our activities up-to-the-minute to the recommendations and guidelines of the relevant security authorities (Bundesamt für Informationssicherheit – BSI [German Federal Office for Information Security]). At the same time, we are gleaning information about security and solutions from trustworthy sources.
• ATOSS updates and publishes new security information and pending updates continuously in the “Security” section on the ATOSS website www.atoss.com, as soon as further information becomes available.
• According to the information and investigations we already have, our current evaluation is that the further vulnerability of the Java library “log4j” (CVE-2021-45046) cannot be exploited for ATOSS products in the usual configuration of the logging interface.

In the light of the measures taken, we have been unable to identify any malicious access whatsoever up to now.

ATOSS security information about ATOSS products

Our recommendation to our customers continues to be that they update all their applications and services by installing updates we make available to them, and follow the carefully conceived BSI recommendations and guidelines. These are updated on a continuous basis here: 

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=9

ATOSS updates and publishes new security information and pending updates continuously in the “Security” section on the ATOSS website www.atoss.com, as soon as further information becomes available. Therefore, please consult our company website regularly to view all security information published on ATOSS products.

Please send security messages about the discovery of a concrete incidence or further vulnerabilities by e-mail only to security@atoss.com, and include the relevant contents of the specific situation. 

ATOSS security information about delivered hardware/terminals and third-party software

Owing to the questions relating to this issue, we have also been in contact with our main terminal providers. According to these manufacturers, the following configuration and communication software can be used safely:

• datafox Studio, datafox Talk
• dormakaba BCOMM
• PCS INTUS RemoteSetup, INTUS RemoteConf, INTUS PS Setup, INTUS PS SE, INTUS FTC and the INTUS device firmware, as well as VISIT and ID.office

If you also have the following programs installed, please make the adaptations described:

• PCS INTUS COM 3.4/3.5: In the case of INTUS COM 3.4/3.5, the INTUS COM HTTPS server must be safeguarded by setting the system property log4j2.formatMsgNoLookups to ‘true’. Step-by-step instructions are attached and are also available for download from the PCS Support Centre.
• DEXICON 5.4: In the case of DEXICON 5.4, AMS-OSS-Driver and AMS-Kernel must be safeguarded by setting the system property log4j2.formatMsgNoLookups to ‘true’. Step-by-step instructions are attached and are also available for download from the PCS Support Centre.

If you have further software, please contact the manufacturer concerned directly.

Thank you for your kind attention.

Dear ATOSS Customer,

It is in all the news: a security leak was found in a widely used JAVA software library. This leak is considered to be very critical, here the recent CISA information: https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability.

Your ATOSS product is potentially affected. In the coming days, ATOSS will make an update available. On short call, the critical feature can be deactivated by configuration. We recommend to immediately apply this configuration setting.

This requires an additional entry at the end of the file ASES\server\ASESxy\tomcat\conf\wrapper.conf for each configured node. Please note that it applies to any function configured under \ASES\server, thus also to \ASES\server\AMISxy\tomcat\conf\wrapper.conf or ASES\server\ABCxy\tomcat\conf\wrapper.conf, if it exists:

# Disable Log4j message lookups
wrapper.java.additional.XY=-Dlog4j2.formatMsgNoLookups=true

Instead of "XY", please use the next number in the sequence of existing entries.
A restart of the configured nodes is necessary for this change to take effect.

If you have any questions, please contact the ATOSS Hotline.
Best regards,
Your ATOSS Team
 
PS: If your ATOSS Staff Efficiency Suite version is below 13, please contact ATOSS in any case!

Dear ATOSS Customer,

It's all over the news: a security leak was found in a widely used JAVA software library. This leak is considered to be very critical, here the recent CISA information: https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability.

Your ATOSS product is potentially affected. In the coming days, ATOSS will make an update available. On short call, the critical feature can be deactivated by configuration. We recommend you to immediately apply this configuration setting.

This requires an additional system environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to be set to value “true”. The environment variable should be set up as a system environment variable if ATOSS Time Control or the AMIS (ATOSS Mobile Information Server) is operated as a service. The environment variable must also be set if you run ATOSS Time Control as an application or in a container.

A restart of all components of your ATOSS Time Control solution is necessary for this change to take effect.

If you have any questions, please contact the ATOSS Hotline.
Best regards,
your ATOSS Team
 
PS: If your ATOSS Time Control version is below 9.5, please contact ATOSS in any case!