Status Page
Important information for LucaNet customers

Current topics

  • Repeated Faulty Windows Defender Anti-Virus Definition Released 
     

Previously published topics: 

  • Bug report - wrong summary of accounts (as of LucaNet 22 LTS and higher)
  • Vulnerability in Spring4Shell Framework (CVE-2022-22965)
  • Incorrect Windows Defender antivirus definition
  • Critical vulnerability in Log4j


FAQs 

Repeated Faulty Windows Defender Anti-Virus Definition Released

LucaNet Software Falsely Detected as a Threat - affects LucaNet 13 LTS on-premises only 

2022-05-04

Anti-virus definitions allow Windows Defender to detect current malicious or unwanted software, as well as prevent the software from being executed on a computer. Due to Microsoft's release of an incorrect anti-virus definition in Windows Defender, Windows Defender is currently incorrectly detecting a file of LucaNet software as a threat.  

Since no changes were made to the file a real danger from the file in question can be ruled out.     

The problem can be resolved by defining the affected file as harmelss and releasing it from quarantine afterwards. 

Here's how your IT department can support you: If your organization uses Office 365 Windows Defender, you can roll out the settings to all clients via an indicator. For this, the hash of the file must be classified as harmless or, alternatively, the LucaNet installation directory must be excluded from the Windows Defender.  

If required, we will of course be happy to support you and keep you up to date on this topic.   

Bug report - wrong summary of accounts (as of LucaNet 22 LTS and higher)

2022-04-04

In the past few days, values in the balance sheet of a few customers were not displayed correctly or not updated. This can manifest itself in the following ways that we are aware of so far:  

  • The account value shown on the balance sheet is incorrect.  
    However, if you go to "Show postings", the transactions and also the balance of the account are shown correctly. 
  • The superordinate item aggregates the values of the accounts it contains incorrectly. 

   
The problem only affects versions LucaNet 22 LTS and higher.  

We have technically fixed the issue and provided the solution version via the following service packs dated 2022-04-04:  

  • LucaNet 22 LTS - 2111.0.35+14 - GA - 4/4/2022  
  • LucaNet 23.3 - 2203.0.5+11 - EOL - 4/4/2022  
  • LucaNet 23.4 - 2204.0.1+2 - GA - 4/4/2022  

 
What has to be done if LucaNet is operated locally?  

If LucaNet is operated locally, then the software must be updated manually or automatically via job control. Instructions for this can be found in the file Perform software update.


What has to be done if LucaNet is operated on the LucaNet.Cloud?  

For LucaNet.Cloud customers, the update will be activated by our TechSupport and performed automatically in the night from April 4, to April 5, 2022. 

 

Vulnerability in Spring4Shell Framework (CVE-2022-22965) - LucaNet software not affected

2022-04-01

A vulnerability in Spring4Shell Framework was reported on 2022-03-30 (Spring4Shell: Zero-Day Vulnerability in Spring Framework - CVE-2022-22965).  

Since the LucaNet software does not use Spring4Shell libraries, LucaNet software is not affected by this vulnerability. 

We are currently checking all our external service providers and our own infrastructure for this vulnerability and will fix it promptly if necessary.  

We will keep you updated on all developments regarding this vulnerability. 

 

 

Incorrect Windows Defender Antivirus Definition Released

LucaNet Software Falsely Detected as a Threat - affects LucaNet 13 LTS only

2022-02-21

Antivirus definitions allow Windows Defender to detect current malicious or unwanted software and prevent it from being executed on the computer. Due to Microsoft's release of an incorrect Windows Defender Antivirus Definition, Windows Defender is currently incorrectly detecting  a file of LucaNet software as a threat

Since no changes were made to the file a real danger from the file in question can be ruled out.  

Microsoft has already published a new definition today. Thus, the problem mentioned should no longer occur. In case the problem persists, the update can be triggered manually via Windows. The affected file can be released from quarantine after it has been defined as harmless. 

Here's how your IT department can support: if your organization uses Office 365 Windows Defender, you can roll out the settings to all clients via an indicator. For this, the hash of the file must be classified as harmless or, alternatively, the LucaNet installation directory must be excluded from the Windows Defender. 

If required, we will of course be happy to support you and keep you up to date on this topic.  

Update critical vulnerability in Log4j

On Saturday, December 11, 2021, the German Federal Office for Information Security (BSI) warned all companies in the Federal Republic of Germany about a security vulnerability in the widely used Java library Log4j.

For more information on this extremely critical threat situation and its assessment as well as corresponding measures, see www.bsi.bund.de (Critical vulnerability published in Log4j).

For LucaNet as a software provider for financial performance management solutions, the protection of our customers' highly sensitive data is a top priority for the LucaNet Group. Our security experts have closely examined the potential impact of the security vulnerability and have been working intensively to install appropriate protective measures in our software. Risks are continuously monitored, thoroughly examined, and updated as necessary.

As a matter of principle, it is imperative to note that

  1. your software is running at the correct patch level. Our latest patch contains the updated Log4j version 2.17.1.
    The build date should be the same (or higher version) as your LucaNet software build date. More details

  2. LucaNet.Software Manager must also be updated. As a rule, this is done automatically. However, in environments without administrator rights, such as Citrix, the update must be performed by in-house IT.

     

FAQs on the topic

 

From now on we will inform you continuously about all current developments concerning this topic.

+++ LATEST NEWS CRITICAL VULNERALBILITY IN Log4j +++

2022-01-03

+++ Currently, LucaNet Group is tracking the vulnerability in the open source Apache Log4j2 CVE-2021-44832

+++ As part of the regular patch update, Log4j version 2.17.1 is being delivered today and will be installed during the usual update and maintenance window between 23:00 and 05:00 CET, if you are using LucaNet in the cloud. As an on-premises customer, please perform the server update yourself as usual.

The following new build versions have the Log4j version updated to 2.17.1:

  • LucaNet 12 LTS - 1911.0.194+3 - EOL - 2022-01-03
  • LucaNet 13 LTS - 2011.0.116+9 - GA - 2022-01-03
  • LucaNet 22 LTS - 2111.0.15+11 - GA - 2022-01-03
  • LucaNet 23.0 - 2112.0.8+10 - EOL - 2022-01-03 (monthly release train)
  • LucaNet 23.1 - 2201.0.1+3 - GA - 2022-01-03 (monthly release train)


+++ The update to V2.17.1 is not mandatory immediately if you are on one of the following build versions which have the Log4J 2.17.0 update already included:

  • LucaNet 12 LTS - 1911.0.193+13 - EOL - 2021-12-20
  • LucaNet 13 LTS - 2011.0.115+8 - GA - 2021-12-27
  • LucaNet 22 LTS - 2111.0.14+9 - GA - 2021-12-27
  • LucaNet 23.0 - 2112.0.5+14 - GA - 2021-12-20 (monthly release train)

The vulnerabilities fixed in version 2.17.0 do not affect your product. 
 

*** Please remember to update LucaNet.Software Manager as well. The update is performed automatically together with the software.The update is usually performed automatically and is scheduled for today (2022-01-03) during the usual update and maintenance time window between 23:00 and 05:00 CET, if you are using LucaNet in the cloud. As an on-premises customer, please perform the server update yourself as usual.

In environments without administrator rights, such as Citrix, the update must be performed by the in-house IT. For this purpose, we provide the appropriate MSI installation files in the customer portal. It is not necessary to uninstall the existing LucaNet.Software Manager beforehand. During the installation, the old Log4j libraries remaining on the LucaNet server are automatically deleted.

2021-12-20

+++ Currently LucaNet Group is tracking the vulnerability in the open source Apache Log4j2 CVE-2021-45105.

+++ As part of the regular patch update, Log4j version 2.17.0 is being delivered today and will be installed during the usual update and maintenance window between 23:00 and 05:00 CET, if you are using LucaNet in the cloud. As an on-premise customer, please perform the server update yourself as usual.

+++ The update to V2.17 is not mandatory immediately if you are on one of these build versions:

  • LucaNet 12 LTS - 1911.0.192+3 - EOL - 2021-12-15
  • LucaNet 13 LTS - 2011.0.112+7 - GA - 2021-12-15
  • LucaNet 22 LTS - 2111.0.11+9 - GA - 2021-12-15
  • LucaNet 23.0 - 2112.0.4+7 - GA - 2021-12-15 (monthly release train)

The vulnerabilities fixed in version 2.17.0 do not affect your product. 

*** Please remember to update LucaNet.Software Manager as well. The update is performed automatically together with the software.The update is usually performed automatically and is scheduled for today (2021-12-20) during the usual update and maintenance time window between 23:00 and 05:00 CET, if you are using LucaNet in the cloud. As an on-premises customer, please perform the server update yourself as usual.

In environments without administrator rights, such as Citrix, the update must be performed by the in-house IT. For this purpose, we provide the appropriate MSI installation files in the customer portal. It is not necessary to uninstall the existing LucaNet.Software Manager beforehand. During the installation, the old Log4j libraries remaining on the LucaNet server are automatically deleted.

2021-12-15

+++ Information to LucaNet users who also use the SmartNotes solution: SmartNotes is not affected by the security vulnerability.

We have received the following information from our partner AMANA Consulting GmbH:

"We do not use the Log4j library, nor the corresponding .NET equivalent. We are therefore not affected by the security vulnerability.

Unfortunately, however, parts of our infrastructure are affected internally, which is why our SmartNotes documentation is currently not accessible. We apologize for any inconvenience this may cause."

2021-12-13

+++ Creation service pack for version LucaNet 12 LTS. Release 2021-12-13 will be installed during the usual update and maintenance window between 11:00 p.m. and 5:00 a.m. CET.

+++ URGENT: Update to LucaNet 22 LTS recommended for versions older than LucaNet 12 LTS, as no patch is created for versions older than LucaNet 12 LTS. No support for versions LucaNet 11 LTS and below.

+++ All steps for a successful update to LucaNet 22 LTS can be found on our website: Update now

2021-12-10

+++ Relevant Log4j2 libraries identified

+++ Log4j updated to version 2.15.0

+++ Service pack for LucaNet 13 LTS and LucaNet 22 LTS versions successfully created and deployed

 

FAQs:

How can I ensure that my LucaNet software is running at the correct patch level?

  • Start LucaNet.Financial Client.

  • Navigate to the "?" to the right of "Extras" in the menu bar.

  • Click „About LucaNet“.

  • The information below the serial number should now look as follows, depending on the LucaNet version:

LucaNet 12 LTS - 1911.0.192+3 - EOL - 2021-12-15

LucaNet 13 LTS - 2011.0.112+7 - GA - 2021-12-15

LucaNet 22 LTS - 2111.0.11+9 - GA - 2021-12-15

LucaNet 23.0 - 2112.0.4+7 - GA - 2021-12-15 (monthly release train)

IMPORTANT: The build date should be the same as your LucaNet software build date.

 

How do I get the latest service pack of LucaNet software if my build version is older than 2021-12-10 (for LucaNet 13 LTS and LucaNet 22 LTS) or 2021-12-13 (for LucaNet 12 LTS)?

  • Make sure that you are using a LucaNet version for which service packs are still available (LucaNet 12 LTS, LucaNet 13 LTS, LucaNet 22 LTS).

  • If this is the case, open LucaNet.Server Administrator and navigate to Settings | Job control | Daily jobs | Restart the server.

  • Activate the Update to the latest version in the current release train check box and test the connection to the update server using the Test connection action.

  • After activating the software update, you will receive the service pack during the next maintenance time window between 11:00 p.m. and 5:00 a.m. CET.

 

Our company uses LucaNet as a cloud customer: Is the AWS infrastructure still secure?

  • AWS has issued an official statement concerning this: Update for Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)

  • Since we operate a virtual, private cloud, each customer has their own virtual instance. This is patched by AWS in a timely manner. In addition, our customers can only connect to the LucaNet cloud app, which runs on a hardened AWS Linux 2 (Amazon Linux 2) operating system. Thus, no customer has access to the operating system.

  • The services we use to provide a great experience for our customers and partners are "S3 Buckets" and "RDS Instances". The exact AWS statement concerning this is as follows:

    • S3: S3’s data ingress and egress is patched against the Log4j2 issue. We are working to apply the Log4j2 patch to the S3 systems that operate separately from S3’s data ingress and egress.

    • RDS: Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

Assessment of course of action:

LucaNet Group security experts assess the way the AWS infrastructure is used for the LucaNet SaaS solution as secure.

Customer Service

Questions about consulting and training

CustomerService@lucanet.com

Support

Questions about the use and technical provision of the software
 

Support
Sales

Questions about a contract or a license
 

Sales