An updated installer for Spectrum (2021 R3 Build 419225) is available for On Premise customers. 2021 R3 Build 419225 includes the latest updates to address the log4j issue:
All On Premise customers are strongly encouraged to install this patch as soon as possible. Once updated, the version which will display in the 'About' screen in Spectrum will be 'Version 2021 R3 - Build 419225'. Be sure to clear your browser cache after updating Spectrum and confirm the latest build number displays in the 'About' screen.
Hosted servers are being updated, scheduled for completion on January 24th. No further action needs to be taken by hosted customers.
Note: After this update, the following log4j file will remain on the server:
log4j-core-2.5-nojndi.jar
Instead of replacing the log4j-core-2.5.jar file with the newly released version, we proceeded with the option of replacing/removing the associated code that was used as the attack vector for this version. While the file may potentially be flagged by scans, this identified finding is strongly mitigated from being exploited.
After installing 2021 R3 Build 419225, please download and apply these VPXs:
These are available in the Hot Fixes download folder for 2021 R3.
On Friday December 10th, 2021, Trimble Viewpoint became aware of a Zero Day vulnerability known as CVE-2021-44228 Remote Code Execution: Log4J(2) Context Lookup with LDAP resolution. Based on security scans, we confirmed that this flaw created a vulnerability in only our Spectrum software. The vulnerability does not affect Viewpoint Vista, ProContractor, Jobpac Connect, HR Management, Field Service, Financial Controls, Field Management, Viewpoint Team, Viewpoint For Projects, or Viewpoint Field View since Log4J isn’t present which has been verified by multiple scans with different solutions.
Trimble’s 24x7 Security Operations Center in concert with Viewpoint Cloud Operations and Spectrum Engineering teams took the following immediate mitigation actions:
As a result of all these efforts, the Spectrum Cloud offering shouldn’t be susceptible to the Log4j vulnerability. No further action needs to be taken by hosted customers.
Moving forward, Trimble Viewpoint continues to actively monitor our environments via our 24x7 Security Operations Center. In addition, to keep up to date with new developments, Trimble’s Global CyberSecurity team maintains regular communications with all internal Trimble Divisions and 3rd party vendors and provides new and updated remediation strategies as they become available. We’ve worked very hard to have a mature security posture and have conducted much due diligence by attaining independent 3rd party certifications such as SOC 2 Type 2, ISO 270001, and a pending NIST 800-171 attestation letter.
Today we have completed an updated installer for Spectrum for On Premise customers with the patched Spectrum version:
https://support.viewpoint.com/s/downloads?boxId=3psigwusa6ula70m7rowi8k0jb2c9g5c
All On Premise customers are strongly encouraged to install this patch as soon as possible. In addition, we recommend updating your firewall rules. All ports on the Spectrum server should be blocked via a firewall with the following exceptions. Note: these are the default ports configured for Spectrum access via the internet, and are not required to be accessible from the internet on systems configured for access only via LAN or VPN connection:
These ports will be redirected if opened (optional - if not opened https:// must always be used in urls):
Customers needing assistance with the firewall configuration changes should contact their firewall vendor for detailed instructions applicable to their specific firewall solutions.
This is an evolving situation. Should any additional patches or configuration changes be required, hosted servers will be updated automatically by the Viewpoint Cloud Engineering team, and On Premise customers will be notified with information on the required actions.
Spectrum customers with On Premise servers should strongly consider moving to the Trimble Construction One cloud solution to take advantage of the robust and secure hosting environment available.
Trimble Viewpoint has identified the Log4j vulnerability as a potential exposure for Trimble Viewpoint and is executing its vulnerability management process to assess the risk and prioritize remediation. We have engaged engineering resources, third party cybersecurity vendors and software providers. We are continuously refreshing our datasets as we identify potential exposures in our infrastructure and product code.