KB Article #181927

Impact and resolution of CVE-2021-44228 (Log4Shell) in Syncplicity

Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en


The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Syncplicity.

In addition, this article covers log4j v1, CVE-2019-17571 and CVE-2021-4104.


Impacted Products

The impact derives from the use of Apache log4j within the products and all log4j versions between and including 2.0 and 2.14.1 are impacted.

The Syncplicity Cloud Platform and On-premises components do not use log4j and are not vulnerable. However, in few instances, we bundle log4j v1 or v2 as a binary dependency to a 3rd party library used in our Storage and DLP/AV Connectors.

If your organization runs security scanners on the file system, the Connectors may get flagged as vulnerable, even though they are not. You can check the Mitigations section for more details on how to avoid this.


Syncplicity Cloud Platform

The Syncplicity platform is not affected by this vulnerability as log4j is not being used in the core services.

Supporting infrastructure services which use log4j have been audited and confirmed to be not vulnerable or have mitigation measures in place.


Storage Connectors

All versions 1.5+ to 3.3.3.x which may be installed on customers premises, do not use log4j as default logging component, but log4j v1 may be found in instance due to a 3rd party dependency.

The shipped version is not vulnerable to CVE-2021-44228 as it lacks the vulnerable JDNI classes. It is also not vulnerable to CVE-2019-17571 and CVE-2021-4104 as the JMSAppender and ServerSocket features are not configured/enabled.


Syncplicity Rights Management

The feature depends on а third-party component that uses log4j 2.x and may be vulnerable. The service has been audited and patched accordingly with vendor recommendations.


On-Premises Connectors and Tools

  • On-Premises Microsoft Integration (WOPI Connector OVA) - Version 1.5 is not affected by this vulnerability as log4j is not being used.
  • On-Premises DLP/AV (DLP/AV Connector OVA) - Versions 1.2.1 is not affected by this vulnerability as log4j is not being used. For version 2.0, Log4j v2 can be found, but it is part of a 3rd party component that is not used in On-Premise deploys.
  • DAS connector - 1.2.2+ are not affected by this vulnerability as log4j is not being used.
  • AD Sync Tool (AD Sync Tool OVA) - Version 1.1.4 is not affected by this vulnerability as log4j is not being used.


Syncplicity Desktop and Mobile apps

  • Windows, MacOS, all versions - are not affected by this vulnerability as log4j is not being used.
  • Android, iOS, all versions - are not affected by this vulnerability as log4j is not being used.


Mitigations

Even though the connectors are not vulnerable and you don't need to take any immediate action, these mitigation steps can help you avoid security scanners run by your organization to flag the Storage and DLP/AV Connectors as vulnerable.

Make sure you are logged in with а user with sufficient privileges to execute the steps below.


Storage Connector 3.3.x (versions up to 3.3.3)


  1. Upgrade to 3.3.4 version (shipped version of log4j is now 2.17.1)
  2. Remove log4j v1
# stop the storage connector

$ systemctl stop syncp-storage

# cd into the storage connector directory and remove the log4j v1 library

$ cd /usr/lib/syncp-storage/

$ rm log4j-1.2.17.jar

# start the storage connector again

$ systemctl start syncp-storage


DLP/AV Connector 2.0


  1. Upgrade to 2.0.1 version (shipped version of log4j is now 2.17.1)
  2. Remove log4j v1 and v2
# stop the das connector

$ systemctl stop syncp-das

# cd to syncp-das directory and remove the log4j v1 and v2 libraries

$ cd /usr/lib/syncp-das/

$ rm log4j-core-2.14.0.jar

$ rm log4j-1.2.17.jar

# start the syncp-das connector again

$ systemctl start syncp-das


WOPI Connector (any version)


Remove log4j v1

# stop the wopi connector

$ systemctl stop syncp-wopi

# cd to syncp-wopi directory and remove the log4j v1

$ cd /usr/lib/syncp-wopi/

$ rm log4j.log4j-1.2.16.jar

# start the wopi connector again

$ systemctl start syncp-wopi