Planmeca - Better care through innovation
Apache Log4j vulnerability (CVE-2021-44228) in Planmeca products

Apache Log4j vulnerability (CVE-2021-44228) in Planmeca products

Last updated: 07 January 2022

Note: This article will be updated as more information becomes available. We recommend you check back regularly.

Note: Planmeca Romexis 6.2.1 SP2, Planmeca Imaging Package 17.2 and Planmeca Viso Package 11.4, where the Log4j vulnerability has been resolved, are now available through your local dealer.

Background

On 10 December 2021, a vulnerability (CVE-2021-44228) was announced in the widely used Log4j (version 2) library: Apache Log4j Security Vulnerabilities

This library is used by many software vendors and service providers globally as a standardised way of handling log messages within software. The affected Log4j library is used in some of Planmeca’s products. As many other organisations, Planmeca immediately began to investigate which of our products might be affected.

The impact of the vulnerability

The vulnerability allows an attacker to cause the target system to fetch and execute code from a remote location controlled by the attacker. The second stage – what the downloaded malicious code does next – is fully up to the attacker.

According to newly published information a server does not need to run a webservice or be connected to the internet in order to be vulnerable in certain circumstances. Also considering that all exploits are not yet identified, and new ones are being published, we strongly recommend our customers to:

Without delay apply the environment variable mitigation presented below
Update all affected systems to Romexis 6.2.1.R SP2, available now through your local dealer

Planmeca Romexis® and Planmeca imaging software components do not contain web services that are accessible from the internet when installed according to Planmeca installation guidelines. All access to the Planmeca Romexis server is done – according to our guidelines – in closed internal networks protected by appropriate firewalls, and thus no software components should be open or accessible from open or public networks.

According to our analysis, the Log4j components are used in Planmeca Romexis versions 6.1.1 and later in a way that does not provide any known attack vectors. The same applies to all other Planmeca software. In addition, DidapiConfig, the Device Tool and System Updater are tools used by technicians only during maintenance. The software cannot be attacked when it is not used.

We are aware that some of the scanners for the vulnerability will find vulnerabilities regarding log4j versions 1.x and 2.x even after mitigations from Planmeca software. The additional found ones are not real threats after mitigation actions described here.

Factors reducing the likelihood of a successful attack against Planmeca products:

No publicly accessible interfaces when installed according to Planmeca guidelines
The newer Java version in use excludes the most obvious LDAP vulnerability
While Planmeca installation guidelines and the newer Java version in use may reduce the likelihood of a successful attack we strongly recommend additional mitigation listed above. Same applies to all other Planmeca software. The least likely components to be vulnerable are , DidapiConfig, Device Tool and System Updater that are tools used momentarily by technicians only during maintenance. When software is not used, it cannot be attacked

What Planmeca products are affected

Software

Planmeca Romexis® 6.1.1, Planmeca Romexis 6.2 and Planmeca Romexis 6.2.1

3D imaging products

All Planmeca Viso® and Planmeca ProMax® 3D units

Planmeca Reconstruction PC software 4.6.3 and later
Planmeca Device Tool 5.0.0 and later
Planmeca System Updater 5.0.0 and later
Planmeca Didapi Kit : DidapiConfig,5.12.0.23.193 / Planmeca Imaging Package 17_2020-10-26-110027 and later

2D imaging products

Planmeca ProMax® 2D, Planmeca ProOne®, Planmeca ProSensor®, Planmeca ProScanner®

Planmeca Device Tool, 5.0.0 and later
Planmeca System Updater, 5.0.0 and later
Planmeca Didapi Kit: DidapiConfig,5.12.0.23.193 / Planmeca Imaging Package 17_2020-10-26-110027 and later

Note: Other products or versions including Planmeca Romexis® Cloud are NOT affected.

Even though no attack vectors using Planmeca Romexis have been identified out of an abundance of caution we have also released a new Romexis version 6.2.1 SP2 that uses the latest version of the log4j component with all known vulnerabilities fixed.

Following methods do not fix all vulnerabilities but as Romexis is not in the first line of the targets they do protect most of the attack vectors and it is often enough and strongly recommended measure of protection.

Full protection is achieved by log4j version upgrade included in Romexis 6.2.1 SP2.

In addition, Planmeca has released imaging software releases with upgraded log4j library versions. Until the fixed software versions are installed, you can mitigate the problem with the instructions below.

How to mitigate the vulnerability on the Planmeca Romexis® server and client in Windows

1. Type Environment in the Windows search box to enter the Edit the system environment variables menu.

2. From the opening System Properties window, select the Advanced tab. From there, click Environment Variables.

3. From the opening window, click New to create a new rule for System Variables.

4. Type the following texts in the opening window and click OK.

Variable name:
LOG4J_FORMAT_MSG_NO_LOOKUPS

Variable value: true

5. The new rule should now be visible in the System variables window.

How to mitigate the vulnerability on the Planmeca Romexis® server and client in macOS

Pass as a JVM Flag
Add this flag to Romexis Server and Client startup scripts: -Dlog4j2.formatMsgNoLookups=true.

Server

Edit file "/Applications/Planmeca/Romexis/server/RomexisServer.sh" adding the JVM flag to server startup script by right clicking it and choosing "Open in Application" TextEdit:

/Applications/Planmeca/Romexis/tools/jre/bin/java \
-Dlog4j2.formatMsgNoLookups=true \
-Xmx3000m \
-Djava.awt.headless=true -Xdock:name="Romexis Server" \
-jar RomexisServer.jar

Client

Open "/Applications/Planmeca/Romexis.app" by right clicking it in Finder and choosing "Show Package Contents". Edit the file in package "Contents/MacOS/Romexis" by right clicking and choosing "Open in Application" TextEdit and adding the JVM flag:

exec "$JAVACMD" \
-Dlog4j2.formatMsgNoLookups=true \
-Dj3d.rend=d3d \
-Xms500m -Xmx16G \
-Dapple.laf.useScreenMenuBar=true \
-Xdock:icon=/Applications/Planmeca/Romexis.app/Contents/Resources/Romexis.icns \
-jar Romexis.jar \
host=localhost \
port=1099 \
romexis_config_port=2099 \
language=en \
${additionalArguments}

Please note that these are sample scripts that might have different parameters in your environment. You only need to add the “-Dlog4j2.formatMsgNoLookups=true \” line to your existing script using the backslash “\” character as a line break.

Save the edited scripts and restart both the server and the client for the parameter to come into effect.

How to mitigate the vulnerability in Planmeca Viso® and Planmeca ProMax® 3D units

Didapi Kit

DidapiConfig.exe can be removed from the system after setting up the imaging device. It is not needed during normal patient imaging.

Reconstruction PC

The following command can be used on the Planmeca Reconstruction PC to mitigate the issue by modifying the Log4j functionality:

$ sudo zip -d /pm3DData/reco.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/logging/log4j/core/net/JndiManager.class
$ reboot

How to mitigate vulnerability with Planmeca 2D Imaging products Planmeca ProMax 2D, Planmeca ProOne, Planmeca ProSensor, Planmeca ProScanner

Didapi Kit

DidapiConfig.exe can be removed from the system after setting up the imaging device. It is not needed during normal patient imaging.

Revision history

Initial release
15 December 2021

Update
17 December 2021
Planmeca to release new software versions to prevent use of vulnerability

Update
20 December 2021
Added instructions regarding DidapiKit

Update
22 December 2021
Information about Romexis security upgrade SP2

Update
23 December 2021
Some refinement of information about Romexis security upgrade SP2

Update
07 January 2022
Some details about version numbers corrected

Update
08 February 2022
Note about vulnerability scanners and log4j versions 1.x

Contact:

Planmeca After Sales
aftersales(a)planmeca.com

Dental imaging software

Supporting applications and services

Apache Log4j vulnerability (CVE-2021-44228) in Planmeca products

Background

The impact of the vulnerability

What Planmeca products are affected

Software

3D imaging products

2D imaging products

How to mitigate the vulnerability on the Planmeca Romexis® server and client in Windows

How to mitigate the vulnerability on the Planmeca Romexis® server and client in macOS

Server

Client

How to mitigate the vulnerability in Planmeca Viso® and Planmeca ProMax® 3D units

Didapi Kit

Reconstruction PC

How to mitigate vulnerability with Planmeca 2D Imaging products Planmeca ProMax 2D, Planmeca ProOne, Planmeca ProSensor, Planmeca ProScanner

Didapi Kit

Revision history

Contact: