Apache Log4j vulnerability (CVE-2021-44228) in Planmeca products

What Planmeca products are affected

Software

Planmeca Romexis® 6.1.1, Planmeca Romexis 6.2 and Planmeca Romexis 6.2.1

3D imaging products

All Planmeca Viso® and Planmeca ProMax® 3D units

  • Planmeca Reconstruction PC software 4.6.3 and later
  • Planmeca Device Tool 5.0.0 and later
  • Planmeca System Updater 5.0.0 and later
  • Planmeca Didapi Kit : DidapiConfig,5.12.0.23.193 / Planmeca Imaging Package 17_2020-10-26-110027 and later

2D imaging products

Planmeca ProMax® 2D, Planmeca ProOne®, Planmeca ProSensor®, Planmeca ProScanner®

  • Planmeca Device Tool, 5.0.0 and later
  • Planmeca System Updater, 5.0.0 and later
  • Planmeca Didapi Kit: DidapiConfig,5.12.0.23.193 / Planmeca Imaging Package 17_2020-10-26-110027 and later

Note: Other products or versions including Planmeca Romexis® Cloud are NOT affected.

Even though no attack vectors using Planmeca Romexis have been identified out of an abundance of caution we have also released a new Romexis version 6.2.1 SP2  that uses the latest version of the log4j component with all known vulnerabilities fixed.

Following methods do not fix all vulnerabilities but as Romexis is not in the first line of the targets they do protect most of the attack vectors and it is often enough and strongly recommended measure of protection.

Full protection is achieved by log4j version upgrade included in Romexis 6.2.1 SP2.

In addition, Planmeca has released imaging software releases with upgraded log4j library versions. Until the fixed software versions are installed, you can mitigate the problem with the instructions below.

How to mitigate the vulnerability on the Planmeca Romexis® server and client in Windows

1. Type Environment in the Windows search box to enter the Edit the system environment variables menu.

2. From the opening System Properties window, select the Advanced tab. From there, click Environment Variables.

3. From the opening window, click New to create a new rule for System Variables.

4. Type the following texts in the opening window and click OK.

Variable name:
LOG4J_FORMAT_MSG_NO_LOOKUPS

Variable value: true

5. The new rule should now be visible in the System variables window.

How to mitigate the vulnerability on the Planmeca Romexis® server and client in macOS

Pass as a JVM Flag
Add this flag to Romexis Server and Client startup scripts: -Dlog4j2.formatMsgNoLookups=true.

Server

Edit file "/Applications/Planmeca/Romexis/server/RomexisServer.sh" adding the JVM flag to server startup script by right clicking it and choosing "Open in Application" TextEdit:

/Applications/Planmeca/Romexis/tools/jre/bin/java \
-Dlog4j2.formatMsgNoLookups=true \
-Xmx3000m \
-Djava.awt.headless=true -Xdock:name="Romexis Server" \
-jar RomexisServer.jar

Client

Open "/Applications/Planmeca/Romexis.app" by right clicking it in Finder and choosing "Show Package Contents". Edit the file in package "Contents/MacOS/Romexis" by right clicking and choosing "Open in Application" TextEdit and adding the JVM flag:

exec "$JAVACMD" \
-Dlog4j2.formatMsgNoLookups=true \
-Dj3d.rend=d3d \
-Xms500m -Xmx16G \
-Dapple.laf.useScreenMenuBar=true \
-Xdock:icon=/Applications/Planmeca/Romexis.app/Contents/Resources/Romexis.icns \
-jar Romexis.jar \
host=localhost \
port=1099 \
romexis_config_port=2099 \
language=en \
${additionalArguments}

Please note that these are sample scripts that might have different parameters in your environment. You only need to add the “-Dlog4j2.formatMsgNoLookups=true \” line to your existing script using the backslash “\” character as a line break.

Save the edited scripts and restart both the server and the client for the parameter to come into effect.

How to mitigate the vulnerability in Planmeca Viso® and Planmeca ProMax® 3D units

Didapi Kit

DidapiConfig.exe can be removed from the system after setting up the imaging device. It is not needed during normal patient imaging.

Reconstruction PC

The following command can be used on the Planmeca Reconstruction PC to mitigate the issue by modifying the Log4j functionality:

$ sudo zip -d /pm3DData/reco.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/logging/log4j/core/net/JndiManager.class
$ reboot

How to mitigate vulnerability with Planmeca 2D Imaging products Planmeca ProMax 2D, Planmeca ProOne, Planmeca ProSensor, Planmeca ProScanner

Didapi Kit

DidapiConfig.exe can be removed from the system after setting up the imaging device. It is not needed during normal patient imaging.

Revision history

Initial release
15 December 2021

Update
17 December 2021
Planmeca to release new software versions to prevent use of vulnerability

Update
20 December 2021
Added instructions regarding DidapiKit

Update
22 December 2021
Information about Romexis security upgrade SP2

Update
23 December 2021
Some refinement of information about Romexis security upgrade SP2

Update
07 January 2022
Some details about version numbers corrected

Contact:

Planmeca After Sales
aftersales(a)planmeca.com