KB Article #181999
Impact and resolution of CVE-2021-44228 (Log4Shell) in Validation Authority
Context
A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.
Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available, we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en
The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Validation Authority
Impacted Products
The impact derives from the use of Apache log4j within the products and all log4j versions between and including 2.0 and 2.14.1 are impacted. Some variations in impact exist based on the exact log4j and JRE version.
Validation Authority Server
| Log4J | N/A |
| JRE | N/A |
| Impact | None |
Desktop Validator
| Log4J | N/A |
| JRE |
N/A |
| Impact | None |
Server Validator
| Log4J | N/A |
| JRE |
N/A |
| Impact | None |
VA Java Toolkit 4.11.2-SP5
| Log4J | 2.9.0 |
| JRE |
Oracle JDK 1.8 |
| Impact |
The toolkit is built with Log4j 2.9 but isn’t shipped with the toolkit. By default, the java toolkit does not use the vulnerable classes (which were reported as vulnerable in log4j1). |
| Solution |
The already released VA Java Toolkit 4.11.2-SP6 will upgrade logj4 to the non-vulnerable v2.16.0 The Log4j library being used in conjunction with the toolkit can remove the vulnerable classes without impacting the VA Java toolkit |
VA Java Toolkit 5.0
| Log4J | 2.9.1 |
| JRE |
OpenJDK 11.0.x |
| Impact |
The toolkit is built with Log4j 2.9 but isn’t shipped with the toolkit. By default, the toolkit does not use the vulnerable classes (which were reported as vulnerable in log4j1). |
| Solution |
The already released Java Toolkit December Update will upgrade logj4 to the non-vulnerable v2.16.0 The Log4j library being used in conjunction with the toolkit can remove the vulnerable classes without impacting the VA Java toolkit |
Permanent Solution
Use log4j version 2.15 or higher.
CVE-2021-44228 vulnerability is solved in log4j version 2.15. Axway has already delivered releases for the VA Java Toolkit where log4j2 is upgraded to v2.16.0. These releases are 4.11.2-SP6 and 5.0 UP202112 which are already in GA status.