- Solutions for you
- Imaging
- Dental units
- CAD/CAM
- Software
- User experiences
- Dental Cabinetry
- Company
- News & events
- Training
- Material Bank
- veterinary
- Extranet
- Planmeca Group Privacy Notice
Resources
- Planmeca - Better care through innovation
- Apache Log4j vulnerability (CVE-2021-44228) in Planmeca products
Apache Log4j vulnerability (CVE-2021-44228) in Planmeca products
Last updated: 07 January 2022
Note: This article will be updated as more information becomes available. We recommend you check back regularly.
Note: Planmeca Romexis 6.2.1 SP2, Planmeca Imaging Package 17.2 and Planmeca Viso Package 11.4, where the Log4j vulnerability has been resolved, are now available through your local dealer.
Background
On 10 December 2021, a vulnerability (CVE-2021-44228) was announced in the widely used Log4j (version 2) library: Apache Log4j Security Vulnerabilities
This library is used by many software vendors and service providers globally as a standardised way of handling log messages within software. The affected Log4j library is used in some of Planmeca’s products. As many other organisations, Planmeca immediately began to investigate which of our products might be affected.
The impact of the vulnerability
The vulnerability allows an attacker to cause the target system to fetch and execute code from a remote location controlled by the attacker. The second stage – what the downloaded malicious code does next – is fully up to the attacker.
According to newly published information a server does not need to run a webservice or be connected to the internet in order to be vulnerable in certain circumstances. Also considering that all exploits are not yet identified, and new ones are being published, we strongly recommend our customers to:
- Without delay apply the environment variable mitigation presented below
- Update all affected systems to Romexis 6.2.1.R SP2, available now through your local dealer
Planmeca Romexis® and Planmeca imaging software components do not contain web services that are accessible from the internet when installed according to Planmeca installation guidelines. All access to the Planmeca Romexis server is done – according to our guidelines – in closed internal networks protected by appropriate firewalls, and thus no software components should be open or accessible from open or public networks.
According to our analysis, the Log4j components are used in Planmeca Romexis versions 6.1.1 and later in a way that does not provide any known attack vectors. The same applies to all other Planmeca software. In addition, DidapiConfig, the Device Tool and System Updater are tools used by technicians only during maintenance. The software cannot be attacked when it is not used.
We are aware that some of the scanners for the vulnerability will find vulnerabilities regarding log4j versions 1.x and 2.x even after mitigations from Planmeca software. The additional found ones are not real threats after mitigation actions described here.
Factors reducing the likelihood of a successful attack against Planmeca products:
- No publicly accessible interfaces when installed according to Planmeca guidelines
- The newer Java version in use excludes the most obvious LDAP vulnerability
- While Planmeca installation guidelines and the newer Java version in use may reduce the likelihood of a successful attack we strongly recommend additional mitigation listed above. Same applies to all other Planmeca software. The least likely components to be vulnerable are , DidapiConfig, Device Tool and System Updater that are tools used momentarily by technicians only during maintenance. When software is not used, it cannot be attacked
What Planmeca products are affected
Software
Planmeca Romexis® 6.1.1, Planmeca Romexis 6.2 and Planmeca Romexis 6.2.1
3D imaging products
All Planmeca Viso® and Planmeca ProMax® 3D units
- Planmeca Reconstruction PC software 4.6.3 and later
- Planmeca Device Tool 5.0.0 and later
- Planmeca System Updater 5.0.0 and later
- Planmeca Didapi Kit : DidapiConfig,5.12.0.23.193 / Planmeca Imaging Package 17_2020-10-26-110027 and later
2D imaging products
Planmeca ProMax® 2D, Planmeca ProOne®, Planmeca ProSensor®, Planmeca ProScanner®
- Planmeca Device Tool, 5.0.0 and later
- Planmeca System Updater, 5.0.0 and later
- Planmeca Didapi Kit: DidapiConfig,5.12.0.23.193 / Planmeca Imaging Package 17_2020-10-26-110027 and later
Note: Other products or versions including Planmeca Romexis® Cloud are NOT affected.
Even though no attack vectors using Planmeca Romexis have been identified out of an abundance of caution we have also released a new Romexis version 6.2.1 SP2 that uses the latest version of the log4j component with all known vulnerabilities fixed.
Following methods do not fix all vulnerabilities but as Romexis is not in the first line of the targets they do protect most of the attack vectors and it is often enough and strongly recommended measure of protection.
Full protection is achieved by log4j version upgrade included in Romexis 6.2.1 SP2.
In addition, Planmeca has released imaging software releases with upgraded log4j library versions. Until the fixed software versions are installed, you can mitigate the problem with the instructions below.
How to mitigate the vulnerability on the Planmeca Romexis® server and client in Windows
1. Type Environment in the Windows search box to enter the Edit the system environment variables menu.
2. From the opening System Properties window, select the Advanced tab. From there, click Environment Variables.
3. From the opening window, click New to create a new rule for System Variables.
4. Type the following texts in the opening window and click OK.
Variable name:
LOG4J_FORMAT_MSG_NO_LOOKUPS
Variable value: true
5. The new rule should now be visible in the System variables window.
How to mitigate the vulnerability on the Planmeca Romexis® server and client in macOS
Pass as a JVM Flag
Add this flag to Romexis Server and Client startup scripts: -Dlog4j2.formatMsgNoLookups=true.
Server
Edit file "/Applications/Planmeca/Romexis/server/RomexisServer.sh" adding the JVM flag to server startup script by right clicking it and choosing "Open in Application" TextEdit:
/Applications/Planmeca/Romexis/tools/jre/bin/java \
-Dlog4j2.formatMsgNoLookups=true \
-Xmx3000m \
-Djava.awt.headless=true -Xdock:name="Romexis Server" \
-jar RomexisServer.jar
Client
Open "/Applications/Planmeca/Romexis.app" by right clicking it in Finder and choosing "Show Package Contents". Edit the file in package "Contents/MacOS/Romexis" by right clicking and choosing "Open in Application" TextEdit and adding the JVM flag:
exec "$JAVACMD" \
-Dlog4j2.formatMsgNoLookups=true \
-Dj3d.rend=d3d \
-Xms500m -Xmx16G \
-Dapple.laf.useScreenMenuBar=true \
-Xdock:icon=/Applications/Planmeca/Romexis.app/Contents/Resources/Romexis.icns \
-jar Romexis.jar \
host=localhost \
port=1099 \
romexis_config_port=2099 \
language=en \
${additionalArguments}
Please note that these are sample scripts that might have different parameters in your environment. You only need to add the “-Dlog4j2.formatMsgNoLookups=true \” line to your existing script using the backslash “\” character as a line break.
Save the edited scripts and restart both the server and the client for the parameter to come into effect.
How to mitigate the vulnerability in Planmeca Viso® and Planmeca ProMax® 3D units
Didapi Kit
DidapiConfig.exe can be removed from the system after setting up the imaging device. It is not needed during normal patient imaging.
Reconstruction PC
The following command can be used on the Planmeca Reconstruction PC to mitigate the issue by modifying the Log4j functionality:
$ sudo zip -d /pm3DData/reco.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/logging/log4j/core/net/JndiManager.class
$ reboot
How to mitigate vulnerability with Planmeca 2D Imaging products Planmeca ProMax 2D, Planmeca ProOne, Planmeca ProSensor, Planmeca ProScanner
Didapi Kit
DidapiConfig.exe can be removed from the system after setting up the imaging device. It is not needed during normal patient imaging.
Revision history
Initial release
15 December 2021
Update
17 December 2021
Planmeca to release new software versions to prevent use of vulnerability
Update
20 December 2021
Added instructions regarding DidapiKit
Update
22 December 2021
Information about Romexis security upgrade SP2
Update
23 December 2021
Some refinement of information about Romexis security upgrade SP2
Update
07 January 2022
Some details about version numbers corrected
Update
08 February 2022
Note about vulnerability scanners and log4j versions 1.x
Contact:
Planmeca After Sales
aftersales(a)planmeca.com