Planmeca Romexis® 6.1.1, Planmeca Romexis 6.2 and Planmeca Romexis 6.2.1
All Planmeca Viso® and Planmeca ProMax® 3D units
Planmeca ProMax® 2D, Planmeca ProOne®, Planmeca ProSensor®, Planmeca ProScanner®
Note: Other products or versions including Planmeca Romexis® Cloud are NOT affected.
Even though no attack vectors using Planmeca Romexis have been identified out of an abundance of caution we have also released a new Romexis version 6.2.1 SP2 that uses the latest version of the log4j component with all known vulnerabilities fixed.
Following methods do not fix all vulnerabilities but as Romexis is not in the first line of the targets they do protect most of the attack vectors and it is often enough and strongly recommended measure of protection.
Full protection is achieved by log4j version upgrade included in Romexis 6.2.1 SP2.
In addition, Planmeca has released imaging software releases with upgraded log4j library versions. Until the fixed software versions are installed, you can mitigate the problem with the instructions below.
1. Type Environment in the Windows search box to enter the Edit the system environment variables menu.
2. From the opening System Properties window, select the Advanced tab. From there, click Environment Variables.
3. From the opening window, click New to create a new rule for System Variables.
4. Type the following texts in the opening window and click OK.
Variable name:
LOG4J_FORMAT_MSG_NO_LOOKUPS
Variable value: true
5. The new rule should now be visible in the System variables window.
Pass as a JVM Flag
Add this flag to Romexis Server and Client startup scripts: -Dlog4j2.formatMsgNoLookups=true.
Edit file "/Applications/Planmeca/Romexis/server/RomexisServer.sh" adding the JVM flag to server startup script by right clicking it and choosing "Open in Application" TextEdit:
/Applications/Planmeca/Romexis/tools/jre/bin/java \
-Dlog4j2.formatMsgNoLookups=true \
-Xmx3000m \
-Djava.awt.headless=true -Xdock:name="Romexis Server" \
-jar RomexisServer.jar
Open "/Applications/Planmeca/Romexis.app" by right clicking it in Finder and choosing "Show Package Contents". Edit the file in package "Contents/MacOS/Romexis" by right clicking and choosing "Open in Application" TextEdit and adding the JVM flag:
exec "$JAVACMD" \
-Dlog4j2.formatMsgNoLookups=true \
-Dj3d.rend=d3d \
-Xms500m -Xmx16G \
-Dapple.laf.useScreenMenuBar=true \
-Xdock:icon=/Applications/Planmeca/Romexis.app/Contents/Resources/Romexis.icns \
-jar Romexis.jar \
host=localhost \
port=1099 \
romexis_config_port=2099 \
language=en \
${additionalArguments}
Please note that these are sample scripts that might have different parameters in your environment. You only need to add the “-Dlog4j2.formatMsgNoLookups=true \” line to your existing script using the backslash “\” character as a line break.
Save the edited scripts and restart both the server and the client for the parameter to come into effect.
DidapiConfig.exe can be removed from the system after setting up the imaging device. It is not needed during normal patient imaging.
The following command can be used on the Planmeca Reconstruction PC to mitigate the issue by modifying the Log4j functionality:
$ sudo zip -d /pm3DData/reco.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/logging/log4j/core/net/JndiManager.class
$ reboot
DidapiConfig.exe can be removed from the system after setting up the imaging device. It is not needed during normal patient imaging.
Initial release
15 December 2021
Update
17 December 2021
Planmeca to release new software versions to prevent use of vulnerability
Update
20 December 2021
Added instructions regarding DidapiKit
Update
22 December 2021
Information about Romexis security upgrade SP2
Update
23 December 2021
Some refinement of information about Romexis security upgrade SP2
Update
07 January 2022
Some details about version numbers corrected
Update
08 February 2022
Note about vulnerability scanners and log4j versions 1.x
Planmeca After Sales
aftersales(a)planmeca.com