KB Article #181951
Impact and resolution of CVE-2021-44228 (Log4Shell) in Axway Decision Insight
Context
A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.
Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en
The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 and CVE-2021-45046 in Axway Decision Insight (ADI) and Decision Insight Messaging System (DIMS)
Update: As of
we are aware of a third vulnerability, CVE-2021-45105, on Log4J. After
investigation ADI and DIMS are not affected by this type of attack.
Impacted Products
The impact derives from the use of Apache log4j within the products and all log4j versions between and including 2.0 and 2.14.1 are impacted. Some variations in impact exist based on the exact log4j and JRE version.
Resolution
Permanent Solution
For ADI and DIMS the permanent solution is to use a version of ADI and DIMS that ships with log4j 2.16.0
ADI and DIMS are not affected by CVE-2021-45105 for which the fix is included in log4j 2.17.0 but we will still be upgrading new releases in 2022 to include this version of the library.
Decision Insight
All versions starting with 20211220 will contain the fix by default and the following table details the hotfixes for each version that is currently supported.
The following hotfixes will be delivered on December 17th. Installing the hotfix can be done by following the upgrade procedure described in the ADI documentation https://docs.axway.com/bundle/DecisionInsight_LATEST_allOS_en_HTML5/page/upgrade.html
| 20210329 | 20210329-06 |
| 20210607 | 20210607-04 |
| 20210621 | 20210621-04 |
| 20210705 | 20210705-04 |
| 20210719 | 20210719-04 |
| 20210802 | 20210802-04 |
| 20210830 | 20210830-03 |
| 20210913 | 20210913-03 |
| 20210927 | 20210927-03 |
| 20211011 | 20211011-04 |
| 20211025 | 20211025-04 |
| 20211108 | 20211108-03 |
| 20211122 | 20211122-03 |
Decision Insight Messaging System
The following table details the hotfixes for each version that is currently supported
| 20210412 | 20210412-03 |
| 20211220 | 20211220-02 |
Mitigations
There are currently no mitigation options