Affected Biostar 2 Software Version: v2.6.0 ~ 2.8.13

Updated Date: 2022-2-23


Dear Valued Partners,


We would like to address the impact and resolution to the recent vulnerability caused by log4j2 on BioStar 2.


The issue is that log4j2 can be exposed to potential malicious code that can be executed from an outside attack.

[Link to vulnerability details]


This is a vulnerability caused by log4j2 which BioStar 2 also uses. 

There is a need to block this problem and we provide both an immediate and permanent solution as follows.


<1>

A simple restart of the server after replacing the provided configuration file (link below) in BioStar 2 root folder, the lookup feature causing the problem will no longer be used in BioStar 2 internal logs.


How to apply the patch file

1. Stop all BioStar 2 server services


2. Download the path file from the below link

log4j2.yml [Link to config file]


3. Copy the log4j2.yml file to C:\Program Files\BioStar 2(x64) (64-bit) or C:\Program Files\BioStar 2  (32 bit) which is located with BioStar 2 Server application.


4. Start all BioStar 2 server services 


<2>

Suprema also provide a new BioStar 2 v2.8.14.74 having the log4j2 library upgraded to v2.16.0 where the vulnerability is officially resolved.


Download link: https://www.supremainc.com/en/support/biostar-2-package.asp


Should you have any inquiries regarding this matter, please do not hesitate to contact [email protected].



How To Upgrade BioStar 2 Version

BioStar 2 supports a direct upgrade from the 2.6 to the latest version. 
If your BioStar 2 version is 2.6v or higher, you can download the latest version and conduct an upgrade. 
However, you cannot upgrade from a very old version such as 2.0 to 2.5 in one upgrade because that process is unsupported. Please refer to this article to upgrade sequentially.
[BioStar 2] How to Upgrade BioStar 2 Server

You do not need to uninstall the existing BioStar 2 Server, run BioStar 2 Setup Installation file to upgrade your system. 
Just in case, pl backup database, setting.conf, system.conf and enckey file before running BioStar 2 Setup file.




Frequently Asked Questions

Question #1:

We are using  Suprema BioStar version 1.93. Could you inform us if affected by our current version?

Answer #1:

BioStar 1.93 and old version of BioStar 1 software are based on C++ programming. There is no impact of the log4j2 vulnerability.


Question #2:

Should I delete the existing log4j2.yml in C:\Program Files\BioStar 2(x64) (64-bit) or C:\Program Files\BioStar 2  (32 bit)?

Answer #2:

You can overwrite the file or replace it to the patch file from the below link.

log4j2.yml [Link to config file]



Question #3:

I have old BioStar 2 software. Should I use the patch file and follow the guideline?

Answer #3:

BioStar 2.5 or lower version does not use java, so it does not fall under the related vulnerability.

Affected BioStar 2 VersionUsed log4j version
BioStar 2.6 ~ BioStar 2.8.13log4j(2.10~2.14.1)



Question #4:

log4j2 2.16 has a DOS vulnerability that was corrected in version 2.17.0, is that going to be changed to that version instead of 2.16.0?

Answer #4:

CVE-2021-45105 with Log4j 2.16.0


This case is a vulnerability that can occur for the following two points.

1. If the pattern in log4j2.yml is set as follows:

When ${ctx:loginId} or $${ctx:loginId} is set in ‘PatternLayout’

2. In case of development using ThreadContext.put syntax


Currently, BioStar 2 does not fall under the above two points, so we will not apply it to the current version.

The upgrade to log4j2 version 2.17.1 will be applied to BioStar 2.8.15.

BioStar 2.8.15 download page - link



Question #5:

I need to update the log4j2 version to 2.17.1 because of the security reason of our security tool.

Could we have the updated version information?

Answer #5:

We have a patch file of BioStar 2.8.14. Please generate a ticket in this Suprema Support Page if you need to have the patch file based on v2.8.14.

Also, BioStar 2.8.15 is released on the Suprema website. Please visit the BioStar 2 download page (link)



Question #6:

"Suprema Fingerprint Scanner Driver 1" is not impacted?

Answer #6:

Suprema Fingerprint Scanner Driver is not impacted. 



Question #7:

Could you inform me if there is any impact of log4j vulnerability to BioConnect software?

Answer #7:

BioConnect Software Is Not Impacted by the LO4J CVE-2021-14228 Vulnerability. The log4j vulnerability that was identified on December 9th, 2021, and for which the details can be found in the CVE - 2021-44228 reference does not impact BioConnect Enterprise nor BioConnect Link. Log4j is used by programs that are developed using JAVA and is not used in any of BioConnect's software solutions.




Sincerely,


Suprema Security Team