Security CVE Log4J
The UiPath Security and Product Engineering teams have been performing an exposure analysis of the Log4J vulnerability, categorized as CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 on the UiPath products. This post details our progress to date. Note that our assessment of products and services has been completed for the listed CVEs. We plan to update this page as material information becomes available. Our aim is to enable our customers to quickly mitigate risks to their security posture.
The following constitute our findings to date:
1. The Insights product does contain the vulnerable version of Apache Log4J for which details, including mitigation steps, are provided below.
2. Automation Suite contains Insights and is therefore vulnerable. No other products within Automation Suite contain Apache Log4J.
3. UiPath Automation Cloud including all services and micro-services has no known risk due to mitigation and updates made by the UiPath team.
4. The following products, both cloud service and the on-premises versions, do not contain Apache Log4J-core and have no known risk at this time:
Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.). All extensions packaged with Studio (browser extensions, etc.)
All UiPath Activity Packages published to the UiPath Official Feed
Automation Hub (including Task Capture)
AI Center (including Computer Vision & Document Understanding)
High Availability Add-on (HAA)
5. Customers who leverage Elastic Search should know that some versions are vulnerable and have mitigation steps available on Elastic's website. Customers should follow the latest news from Elastic and reach out directly to them should they have any issues.
Note that the impact assessment is still ongoing. We will post material updates to this site as soon as they become available. Our aim is to enable our customers to quickly react to any weaknesses that could impact on their security posture.
Update: December 21, 2021
UiPath evaluated the impact of CVE-2021-45105 and confirmed that the stated analysis remains correct.
Update: December 22, 2021
UiPath has posted hotfixes for Insights 2021.10 and Automation Suite 2021.10.
Convenience Updates have also been posted for AI Center 2020.10 and 2021.4
Update: December 23, 2021
UiPath has completed analysis of all products and services. Actions have been posted for all affected services.
UiPath Insights versions prior to 2021.10 include Apache Log4j in the Java Connector that integrates UiPath code to Sisense and also in Sisense directly.<br>
UiPath has evaluated the code within the Java Connector and found that while a vulnerable version of the Apache Log4J library is included as a dependency, exploitation can be mitigated through configuration by following the steps in the next section. Regardless, UiPath issued a hotfix (see below) to update this to the latest, non-vulnerable version of Apache Log4j.
Sisense has also performed an investigation into their implementation and found that their installation has the vulnerable version of log4j. They have also determined that it is exploitable, but only by an authenticated and named user that has the proper privileges. No attack vectors are open from outside the application.
Insights does not use Context Lookup by configuration thus mitigating CVE-2021-45105 by default.
Mitigation Steps for Insights:
Open a browser and navigate to https://github.com/UiPath/Insights-Customer/tree/master/hotfix/log4j
Select the hotfix that corresponds to your version of Insights to open that repository.
Click on the Download button to download the zip file.
From the download location, extract the zip files to C:\Scripts (You may need to create this directory)
Open powershell as Admin and run the Insightsxx.xx.xhotfix.ps1 in C:\Scripts
*Instructions Provided by Sisense*
7. Click on the Download button to download the zip file.
8. Extract the zip file into C:\Scripts\ so that it creates a new folder called C:\Scripts\fix_log4j
9. Open powershell as Admin and run C:\Scripts\fix_log4j\fixLog4jSisense.ps1
10. Review the logs under C:\Scripts\fix_log4j\log.txt and make sure there are no errors, in case there are ERRORs please contact UiPath Support.
The script provided by Sisense requires the usage of 7-zip. Customers can download it ahead of time and install it to "C:\Program Files\7-Zip" or allow the script to download it automatically.
The Sisense.Shipper service may be disabled and the script below will log an error starting the service. This is the last step and does not impact patching. This service is not used for Insights and can be left Disabled.
UiPath Insights versions 2021.10+ includes Apache Log4j in Looker. Automation Suite contains Insights v2021.10+ and thus also includes Looker. Google has confirmed the presence of the Apache Log4J library in the Looker code. Google has not reported whether this is exploitable or not. Google has released updates for Looker to address the vulnerabilities which UiPath has incorporated into patches for both Insights and Automation Suite.
UiPath Insights version 2021.10.2 Download
UiPath Insights 2021.10.2 Release Notes
UiPath Automation Suite version 2021.10.2 Hotfix Download
UiPath AI Center versions 2020.10.x and 2021.4.x contain the newrelic.jar, however it is not being leveraged in any way. The file is included from a legacy build and there is no risk to customers. UiPath has provided hotfixes for both versions of AI Center to remove the file as a convenience for customers.
UiPath AI Center 2020.10.5 Release Notes
UiPath AI Center 2021.4.3 Release Notes