12116121, 4:28 PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-48046 related to C-day in the Apache (is!) AUTOMATION ANYWHERE English (US) Automation 360 Enterprise On-Premise | Update regarding CVE-2021-44228 & CVE-2021-45046 related to 0-day in the Apache Log4j2 and Log4Shell Java library Title ‘Summary Applies tothe Automation 360 Enterprise On-Premise Release Versions anplcabe to: 60 all release wersion (and all A209 repase versions] Wes thisarticle helpful? 1d hips: /apeople automationanywhere.comslarleiA360-On Premise-Update-regarcing-CVE 2021-44228 relatedto-Odayinshe-Apache-Logdi2av.... 1/15,12116121, 4:23PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-8806 related to C-day in the Apache ‘As industry understanding of this vulnerability evolves, we have been constantly re-assessing our risk. At this time there arena known instances of tog4j configuration that can lead to remote exploit with respect to the ‘Automation 360 releases, ‘Asa defense-in-depth measure we recommend that you disable the functionality of log4j that contains the flaw. This will ensure a susceptible version of tog4j library is no longer susceptible to the exploit. To do this the option -Dlog4j2.formatMsgNoLookups=true rust be provided to the Java startup options of all services. Updated on 16th Dec 2021; While no known remote execution exists for A360 at this time, recent vulnerability analysis indicates that variations are being actively discovered, increasing risk. We are therefore providing additional defense-in-depth steps that we recommend all customers apply. An update with the A360.23 on-prem release is planned to be released to cover the log4j weaknesses. These steps are in addition to, not a replacement of, the previously provided guidance, ‘The detailed steps to add this option are shared below. Instructions Please note that these changes are not expected to have any impact on product functionality. Logdj is only used {or logging within the product and these functions are not used within the product itsel. For Automation 360 Control Room installed on Windows OS For Automation 360 Control Room installed on Linux OS For Automation 360 Bot Agent For Automation 360 10 Bot (applicable to all release versions) For Automation 360 Control Room installed on Windows OS 1. Assystem administrator, run Registry Editor (regedit exe) 2. In regedit navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 3. Find all services listed that start with “Automation Anywhere” and perform the below steps: 2, Navigate to the “Parameters” folder that is a child of the service folder. (e.g HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Automation Anywhere Control Room Bot Compiler Service\Parameters) b. Double-click on “Application” . Confirm that Value points to a path ending in java.exe, ift does NOT (for eg: “Automation Anywhere Control Room Reverse Proxy’ does not end with java.exe) skip to the next Control room service. Wasthisartclehelptu? ie 7 1p 2 hitpsi/apeople automationanywhere.comvslarleiA360-On Premise-Update-regarcing-CVE-2021-44228-relatedto-Odayinshe-Apache-Logli2av.... 215,‘Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-46046 related to O-day in the Apache a ; ee sttien sainer2t, 4:23 PM 4. If the Value points to a path ending in java.exe then Double-click on "AppParameters” €. Add -Dlog4j2.tormatMsgNoLookups=true to the start of the Value. Make sure to leave a space between this new text and the start of the existing text. {Click OK eI 4, Run Services from Administrator Tools 5. Restart all Automation Anywhere services Additional steps updated on 16th Dec 2021: {1 Navigate to :\Program Files\Automation Anywhere\Enterprise\contig Reference snippet with a sample path as below. Was this article helpful? ve 7) (p 2 rlateddo-Odayinthe-ApacheLogii2Jav.. 35 hitpsiapeople automationanywhere.coms(arle/A360-On-Premise-Undate-regarding-CVE-2021-442212116121, 4:2 PM Automation 360 Enterprise On-Premise | Update regarting CVE-2021~44228 & CVE-2021-46046 related to O-day in the Apache ne SEATED) cong «> ThisPC > LoalOuk(C) > Progam fies > Aometion Anywhere > AviomalioniO > config > Nem Detemedied # Guick acces Tock Maremic o AM Filet bootdhpropenier hve i03aNe a5 SE Sewnienk (7 betcompie pope rovenat 12 18 El Documents + [1 dbchangeoa pope: roynat 18 2, Edit each of the files matching log4j2-*.xml (e.g. logdj2.xmt,log4i changes: a. Remove all instances of mde b.Save file ignite.xml) and make the following the file Reference snippet to identity this file is as below. esixngiuasen] oowiiars 3. Performing a restart of Control Room services post this set of changes is not required Note : For the release versions AS60.19 till A360.22, below isthe list of files that are generally expected to be updated. + logdj2.xml + log4)2-spcompilerxmt + logdj2-activerg.xmt + logdj2-ignite xmt + logdj2-aarixmt + logdj2-discoverybotxml + logdj2-iqbot xmt + logdj2-storagexmt ‘The file log4j2-storage.xml may not be available for releases prior to AS6O.19. verter ttm a tensors te cy SRoctman Wastoncreens 8 7 2 hitpsiapeople automationanywhere.coms(arle/A360-On-Premise-Undate-regarding-CVE-2021-4422 rlatedto-O-dayinsthe-Apache-Logii2alav... 41512116121, 4:23PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-8806 related to C-day in the Apache Additional steps updated on 16th Dec 2021 1. Navigate to :\Program Files\Automation Anywhere\Enterprise\contig 2. Edit each of the files matching log4)2-*.xml (e.g. log42.xml, log4j2-ignite.xml) and make the following changes: ‘a, Remove all instances of %mdec in the file b. Save file 3. Performing a restart of Control Room services post this set of changes is not required Note : For the release versions AS60.18 till AS60.22, below isthe list of files that are generally expected to be updated. + logdj2.xml + log4)2-spcompilerxmt + logdj2-activerng. xm + logdj2-ignite xm + logdj2-aarixmt + logdj2-discoverybotxml + logdj2-iqbot.xmt + logdj2-storagexmt The file log4j2-storage.xml may not be available for releases prior to A360.19, For Automation 360 Bot Agent «For the Bot Agent installed by selecting “Anyone who uses this computer (all users)" option. 1 As system administrator, run Registry Editor (regedit.exe) 2.In regedit navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 3. Find the service called “Automation Anywhere Bot Agent’ {a Navigate to the “Parameters” folder that isa child of the service folder. (eg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Automation Anywhere Control Room Bot Compiler Service\Parameters) b. Double-click on “Application” ¢ Confirm that Value points to a path ending in java.exe. a er a d. Double-click on “AppParameWA® this article helpful? we 7B 2 hitpsi/apeople 2utomationanywhere.comstarileiA360-OnPremise-Update-regarding-CVE-2021-44228-alatedto-O-dayin-t ApacheLogdi2lav.. 611612116121, 4:28 PM Automation 360 Enterprise On-Premise | Update regarting CVE-2021~44228 & CVE-2021-46046 related to O-day in the Apache €. Add -Diog4j2.formatMsgNoLookups=true to the start of the Value. Make sure to leave a space between this ‘new text and the start of the existing text. olde. SSE: 4, Run Services from Administrator Tools 5, Restart “Automation Anywhere Bot Agent’ service Additional steps updated on 16th Dec 2021: 1. Navigate to :\Program Files\Automation Anywhere\Bot Agent\config, 2. Edit botlauncher-logging.xml and nodemanager-logging xml, and make the following changes: a. Remove all instances of %mde b. Save file Reference snippet below Salven Ota HEE aEianies.268) 4tleved (467 - 64 = tootdod¢seite/ sine) Performing a restart of the BotAgent services is not required 'b. For the Bot Agent installed by selecting “Only for me («windows username>y" option. 41, Go to °C:\Users\\AppData Local\Programs\Automation Anywhere\Bot Agent” folder Note : The AppData may be a windows OS hidden file, So you might need to change the view settings as needed, 2. Locate and open aastartupnm bat le edt mode | 7 fwl2 5. Add -Dlog4j2.formatMsgNoLodNSsC1RaE HEH axe Mthe fast ite. Make sure to leave a space after hitpsiapeople automationanywhere.coms(arle/A360-On-Premise-Undate-regarding-CVE-2021-4422 rlatedto-O-dayinsthe-Apache-Logli2alav... 615,12116121, 4:23PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-8806 related to C-day in the Apache Javaveexe and after this new text. 4, Save the file Reference snippet below. Dsesttprey-Reteot - ox °C: Users NMP Dats Loca Programs Automation Aayshere\Bot Agent\” Nec Path sind process Uhare “Rane Java exe" S10 Conmandline LIKE "Snade-nanager.Jar3"* Call Terminate [Sic Path win3d_proceae bare “Comandline LIKE “Athot launehor-jarQ"= Call Torwinat \onflgrodenarager-logsing.x=l 0 5, Double click on the file to restart the Bot Agent process. In case your environment does not allow this then you may proceed to restart the Bot Agent services from the services.msc or other choices available to you for restart the Bot Agent service. Additional steps updated on 16th Dec 2021 1. Navigate to :\C:\Users\\AppData\LocaliPrograms\Automation Anywhere\Bot Agent\config 2. Edit botlauncher-togging.xml and nodemanager-logging.xml, and make the following changes: a. Remove all instances of Zmde b. Save file 3. Performing a restart of the BotAgent services is not required For Automation 360 IG Bot (applicable to all release versions) 1. Goto the installation directory of ]QBot, currently as “C:\Program Files (x86)\Automation 360 I@ Bot!" 2. From the IQBot installation directory go to “Configurations” Folder and open “microservices_start bat” file in edit mode. 3, Within the ‘microservices_start.bat” text fle + Adjust the arguments -Dffle.encoding=UTF-8 to add parameter to add = Diog4j2.formatMsgNoLookups=true + Resulting arguments that appear as follows: -Dfle.encoding=UTF-8 - Diog4j2.formatMsgNoLookups=true + This should be repeated for each instance of -Dfilerencoding=UTF-8 and the file saved. For reference to indicate the post change appearance, kindly find the reference snippet post change as below. 4. Once the changes are applied, kindly stop and start IQBot services with the below batch file. 5. Locate file “stopanduninstallallservices bat" under /Configurations and run as Administrator 6. Locate file “installandstartalservices bat” under /Configurations and run as Administrator Additional Information __WaSthisarticlehelpful? 7p 2 hitpsi/apeople automationanywhere.comvslarleiA360-On Premise-Update-regarcing-CVE-2021-44228 relatedto-Odayinshe-Apache-Logdi2av.... 7/15,12116121, 4:23PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-8806 related to C-day in the Apache Please note that A360.23 On-Prem and onward will include an updated and patched version of Log Thank you again, and we will continue to provide updates as soon as we know more. Ityou have any additional questions or concerns, please open a support case via the A-People Portal. ‘Component Control Room Configuration ‘Sub-Component Configure First Published Date 42/11/2021 1:56 PM Last Published Date 12/16/2021 12:20 PM URL Name 'A360-On-Premise-Update-regarding-CVE-2021-44228-related-to-0-day-in-the-Apache-Log4j2-Java-library ‘Automation 360 (formerly Enterpr Us/topic/OTOSFOOOOOOKgUWAA. (0) (/s/relatedlist/ka02t0000008UGBAAM/AttachedContentDocuments) ¥ Post ‘SHARE AN UPDATE... Search this feed. 7 2 Vyjayanthi (/s/profite/OdMEFERGORRRERS) (Rutcmatidn Anywhere, Inc.) published ay hitps:/apeople automationanywhere.comvslarileiA360-On Premise-Update-regarcing-CVE-2021-44228 relatedto-Odayinshe-Apache-Logdi2av... 8/15,1211621, 425M Automaton 360 Enterprise On-Premise | Updete regarding CVE-2021-4228 & CVE- 2021-45046 related 0 Cay nthe Apache © rervesionoftisknomedse 3h ago U/s/fea/00521000016huWuCA) Translate with Google ¥ @ Comment © writes comment e Anujan V (/s/profile/0056F00000CfSSwQAN) (Automation Anywhere, Inc.) published a new version of this Knowledge Sh ago Us/teed/0D52t000016h¥pOCAE) Translate with Google _v vy Like @ Comment @ _ writea comment e@ EMT (/s/profile/0056FO0000DfnCQQAZ) (Suddeutsche Krankenversicherung a.G.) v Edited yesterday at 10:50 AM (/s/teed/ODS2t000016SeKSCAK) ‘Java bundled with our on-premise versions A360 all release versions are not susceptible to remote exploit. In order for this vulnerability to be exploitable requires both a susceptible version of Java AND a susceptible version of log4j library.” This is NOT true, see https://twitter.com/marcioalm/status/1470361495405875200 {https://twitter.com/marcioatm/status/1470361495405875200) Alljava versions are affected by the vulnerability -Dlog4j2.formatMsgNoLookup: of aa 2019 included Version rue only works with version >2.10, please confirm which version 10 of log4j Translate with Google ~ Marcio Almeida on Twitter (https://twitter.com/marcioalm/status/147036149... Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *A, bitps://twitter com/manslas entstietneRRGM 9595875 200%ttr2 //twitter com/marci hitpsiapeople 2utomationanywh ‘comislaricle/A360-On-Premise-Update-regarding-CVE-2021-44228-related-c-O-day.inshe-ApacheLogdi2-Jav....9I1512116121, 4:28 PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-88046 related to C-day in the Apache AVA RELEASE VERSIONS USITOPIC/OTOSFODOOODOUXXWAEN —_(/S/TOPIC/oTO2TODOBDOPGBDGAON {JAVA VERSIONS US/TOPIC/oTO2TOOOCOOGNBAGAK/) 3 views i Like @ Comment dh.kimabitekic.co.kr (/s/protile/0052t000000qGcaAAE) likes this. © writes comment PK Rathish@lks (/s/profile/0052t000000ZdWcAAK) (IKS Health) - December 14, 2021 at 2:06 PM (/s/teed/0D52t000016QVnXCAW) @Anujan V (/s/profile/0056FOOOOOCfSSWAAN) (Automation Anywhere, Inc.) Can we get a Batch file from Automation Anywhere one to update the control and second to update the bot agent - since this is registry update need to be done urgently Translate with Google ¥ BOT AGENT AUTOMATION ANYWHERE USITOPIC/OTOSFOOOODOCPMIWAIN —_US/TOPIC/OTOSFOOODOCOTSKWAE/) 2comments 8 views iy Like @ Comment More comments p02 PL Rathish@iKS (/s/profile/0052t000000ZdWcAAK) (IKS Health) a day ago @Anujan V (/s/profile/0056FO0O00CISSWGAN) (Automation Anywhere, Inc) | understand but tested patch from Automation Anywhere is better than each step being done. you have already seen some of the issues in above comments. | have already raised a ticket for the same and hopeful of getting some traction on that Since this needs to be deployed across Servers and even bot agent doing it manually is big task. Or we get a Task bot to do the same is also good © Wasthisartclehelptu? re 7 1p 2 hitpsi7apeople automationanywhere.comvstarleiA360-On Premise-Update-regarcing-CVE-2021-44228-elatedto-Odayinshe-Apache-Logdi2a.. 10/15,12116121, 4:23PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-8806 related to C-day in the Apache Like like Translate with Google w @ writes comment © ToBa (/s/profite/0056FO0000CakJZG@AZ) (Customer) . December 14, 2021 at 1:54 PM (/s/teed/00D521000016aUMmCAO) Hello. Implementing this fix on A360.22, we are facing an issue with elasticsearch. “Failed to connect to Elasticsearch server’ in main dashboard and in Audit log: Failed to parse and execute query.(createdOn:>1639399713000 ) AND _tenantld:'d29723tb-1cd0- 440b-a4ac-edfc0474adle As provided before, we excluded Automation Anywhere Bot Insight Service Discovery, because after the change in registry, the service is paused Can you please advise? Translate with Google v BOT INSIGHT SERVICE DISCOVERY INSIGHT SERVICE DISCOVERY US/TOPIC/OTOGFOOOODONRWOWAK/ —_(/S/TOPIC/oTOZTOD0000PGESGAG/ ‘QueRY 42 MORE YS/TOPIC/oTOZTOOO00OXDFTGACI comment 3 views ih Like @ Comment © Anujan v (/s/profite/0056FO0000CtSSwGAN) (Automation Anywhere, Inc.) a day ago @ToBa (/s/profile/0056FO0000CaKIZGAZ) (Customer) - Regarding your observation on the Elastic Search service, we have not encountered this scenario in our internal test environments. This will need further investigation and deep-dive on the logs. Can you kindly raise a support case for this and we will look further into it? Like Translate with Google @ write a comment. This record was updated Poste dias this article helpfu? he 7p 2 December 11, 2021 at 1:56 PM hips: 7apeople automationanywhere.comvslarleiA360-On Premise-Update-regarcing-CVE-2021-44228-elatedto-Odayinshe-Apache-Logdi2va.. 11/15,12116121, 4:23PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-8806 related to C-day in the Apache e GAURAV BARI (/s/profile/0056FOOOOOBIjVxGAL) (Singapore Airlines) December 14, 2021 at 3:42 AM (/s/feed/0D52t000016HAPICAO) Hello to everyone, Pease exclude “Automation Anywhere Bot Insight Service Discovery’ service while updating AppParameters else the service Automation Anywhere Bot Insight Service Discovery will be shown paused in services Thank You Translate with Google ¥ BOT INSIGHT SERVICE DISCOVERY BOT INSIGHT SERVICE US/TOPIC/OTOSFOOODDONRWOWAK/ —_(/S/TOPIC/OTO6FO0000S70EWAY/) 2comments 4 views 1 @ Comment More comments Lotz © _GAURAV BARI (/s/profile/0056F000008)VxGAL) (Singapore Airlines) 2 days ago Noted thank you Thank You With Regards, Gaurav Bari PH: +65 86805562 1age001 jpg@01D7F0ES.ES249DA0 (mailto:image001 jpg@01D7FOE8.E5249DA0)] Like Translate with Google | writes comment Related Articles Wasthisartclehelptu? ve 7 1p 2 hitpsi/apeople automationanywhere.comvslarleiA360-On Premise-Update-regarcing-CVE-2021-44228-elatedto-Odayinshe-Apache-Logdi2va.. 12115,12116121, 4:23PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-8806 related to C-day in the Apache ‘Automation Anywhere Enterprise 11x | Update regarding CVE-2021-44228 6 CVE 2021-45046 related t 0 0-day in the Apache Log... (/s/article/AA-11-x-Update-regarding-CVE-2021-4422 @ 29K 8-related-to-0-day-in-the-Apache-Log4j2-Java-library) ‘Automation 360 Enterprise Cloud | Update regarding CVE-2021-44228 & CVE 2021-45046 related to 0- day in the Apache Log4j2 a... (/s/article/A360-Cloud-Zero-day-in-the-Log4j-Java-lib @ 698 rary) Updates regarding CVE-2021-44228 & CVE 2021-45046 related to 0-day in the Apache Log4j2 and Log e192 Shell Java library (/s/article/CVE-2021-44228) 10x | Update regarding CVE-2021-44228 & CVE-2021-45046 related to O-day in the Apache Logdj2 and Logashell Java library (/s/article/v10x-No-Risk-Regarding-CVE-2021-44228-re- @47 lated-to-0-day-in-the-Apache-Log4j2-Java-library) ‘Automation 360 On-Premises prerequisites (/s/article/Enterprise-A2019-On-Premises- 36K prerequisites) Trending Articles ‘Automation Anywhere Enterprise 11.x | Update regarding CVE-2021-44228 & CVE 2021-45046 related to 0-day inthe Apache Log (/s/article/AA-11-x-Update-regarding-CVE-2021-44228-related-to-0-day-in-the- Apache-Log4j2-Java-library) ‘Automation 360 Enterprise On-Premise | Update regarding CVE-2021-44228 & CVE-2071-45046 related to 0- day in the Apache Log, (/s/article/A360-On-Premise-Update-regarding-CVE-2021-44228-related-to-0- day-in-the-Apache-Log4j2-Java-library) ‘Automation 360 Enterprise Cloud | Update regarding CVE-2021-44228 & CVE 2021-45046 related to O-day in the Apache Logdj2 a (/s/article/A360-Cloud-Zero-day-in-the-Log4j-Java-library) Black screenshot while running the bot in Unattended mode (/s/article/Commands-like-Object-Cloning-Image-Recognition-Keystrokes-Etc- Do-Not-Work-In-Unattended-Mode-When-Autologin-Is-Enabled-And-Error-Out- With-Black-Screenshot-On-Failure) Wes this article helpfu? we 7 mp 2 ‘Automation 360 - Unable to dovnload the bot or the depenencies to te device; Eror code: download error hips: /apeople automationanywhere.comvslarleiA360-On Premise-Update-regarcing-CVE-2021-44228-elatedto-Odayinshe-Apache-Logdi2vla.. 13/15,12116121, 4:23PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-8806 related to C-day in the Apache (/s/article/A2019-Unable-to-run-bot-with-error) Products (Our platform is powerful enough to automate tasks of any complexity, but user-friendly enough for anyone on your team to use. Learn more... (https://www.automationanywhere,com/products/enterprise? _ga=2.78241104,537351473.1559053078-277468989. 1539138132) Services The Automation Anywhere services team has worked with companies of al sizes to automate their business processes for them, help discover new automation ideas, and maximize ROI Learn more... (https://www.automationanywhere.com/consulting-services? _9a=2.111935168.537351473,1559053078-277468989, 1539138132) Contact Us USA Headquarters San Jose 1-888-484-3535 (tel1-888-484-3535) E-mail (mailto:contact@automationanywhere.com) int 408-834-7676 (tel:408-834-7676) Support 1-888-484-3535 (tel'1-B88-484-3535) 408-834-7676 (tel:408-834-7676) Boston Mumbai Dallas, London Now York. Ontario Bangalore Melbourne Baroda Japan © 2020 Automation Anywhero, nc Privacy Terms Trademark Prowaalehis Gemtemiensru? sh 7p 2 {https:/vww.automationanywhere.con/companylcareers?_ga=2,120329676,537961473,1559053078- comislaricltA360-On-Premise-Updateregardng-CVE-2021-44728-elatedo--dayinthe-ApacheLogti2vJa.. 145 con hitpsiapeople automationanywh12116121, 4:23 PM Automation 360 Enterprise On-Premise | Update regarding CVE-2021~44228 & CVE-2021-4806 related to C-day in the Apache "277468989, 1539138132) Wasthisartclehelptu? ve 7 1p 2 hips: /apeople automationanywhere.comvslarleiA360-On Premise-Update-regarcing-CVE-2021-44228 relatedto-Odayinshe-Apache-Logdi2va.. 15/15,