KB Article #181929

Impact and resolution of CVE-2021-44228 (Log4Shell) for Transfer CFT

Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of a Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations become available, we will be publishing them as a dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

/!\ Update: As of 22 Dec 2021 we are aware of a third vulnerability, CVE-2021-45105, on Log4J. After investigation CFT is not affected by this type of attack.

This article provides recommendations and technical clarifications regarding the impact of CVE-2021-44228 on Transfer CFT.

Impacted Products

The impact derives from Apache log4j usage in the product and includes all log4j versions from 2.0 through 2.14.1. Some variations in the impact depend on the exact log4j and JRE versions used.

  • Transfer CFT
    • v3.6 which embeds the Secure Relay Master Agent v2.7.3
    • v3.8 which embeds the Secure Relay Master Agent v2.7.3
    • v3.9 which embeds the Secure Relay Master Agent v2.7.4

Transfer CFT is affected by the log4j vulnerability only if the Secure Relay feature is used, meaning the UCONF parameter secure_relay.enable=Yes and there is a CFTNET object defined with protocol=SR (CFTNET type=TCP, protocol=SR).

For all platforms, the embedded Secure Relay Master Agent uses log4j 2.14.

Resolution

Permanent Solution

The plan is to upgrade to log4j 2.16 or higher on the Master Agent and Router Agent.

For this, a new Secure Relay Master Agent dependency will be included in Transfer CFT packages, with the following products being delivered as soon as possible:

  • Transfer CFT v3.6 SP4 Patch1 (or Patch2 depending of the platform)
  • Transfer CFT v3.8 Patch2
  • Transfer CFT v3.9 Patch2

Additionally, we will release Secure Relay Router Agent v2.7.3 and v2.7.4 patches as soon as possible.

CFT is not affected by CVE-2021-45105 for which the fix is included in log4j 2.17.0 but we will still be upgrading new releases in 2022 to include this version of the library.

Mitigation

Note

A previous version of this article has included steps to set formatMsgNoLookups to true. This mitigation action has been proven to be unreliable and has been removed.

Transfer CFT is affected by the log4j vulnerability only if the Secure Relay feature is used, meaning the UCONF parameter secure_relay.enable=Yes and there is a CFTNET object defined with protocol=SR (CFTNET type=TCP, protocol=SR).

Please follow mitigation step provided for Secure Relay, link : https://support.axway.com/kb/181969


Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.