KB Article #181931

Critical issue in Apache Log4j logging utility used by Axway EBICS Products

Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com.

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in EBICS Products.

Resolution

The impact derives from the use of Apache log4j within the products and all log4j versions between and including 2.0 and 2.14.1 are impacted. Some variations in impact exist based on the exact log4j and JRE version.

Permanent Solution

Permanent solution: use Apache log4j version 2.17.1 or higher. All products potentially impacted will issue patches to include log4j 2.17.1 for all supported versions. ETAs for these patches will be communicated shortly.

ProductEBICS GatewayVersion3.5ImpactVulnerability confirmed
Additional Notes

The impacts on Passport, Secure Relay and Sentinel are explained in the following pages :

Log4J Version2.13.3 - This version is used in the product Ebics Gateway. The vulnerability is confirmed. See below the mitigation plan.
1.2.17 - This version is used by the libraries that are used in the Ebics Gateway. The code reported as vulnerable is not present. At the moment, there is no evidence to show that Log4j version 1.2.17 is vulnerable to the CVE-2021-44228. Moreover the JMS Appender is not used.
Mitigation

Mitigation for 3.5 version

  • Linux: zip/unzip and jar linux commands need to be available.
  • Windows: 7Zip available (or equivalent WinZip, Winrar etc.)

Important Notes:

  • If any service pack or upgrade pack is applied the procedure needs to be redone. This is valid also for new product installations.
  • Mandatory : Please backup the installation folder before doing the advised changes in a place outside the installation

Linux/Unix:

Step 1: Stop EBICS Gateway

Step 2: Go in EBICS Gateway installation folder

cd < installationDir>

Step 3:

log 4j libraries need to be updated on below locations to remove vulnerable classes:

a) program\tool\lib\jar - To update follow Step 5.
b) program\tool\lib\log4j-core.jar – To update follow Step 4.
c) applicationServer\modules\org\apache\activemq\ra\main\log4j-core.jar - To update follow Step 4.

d) applicationServer\standalone\deployments\bankrechner.ear\APP-INF\lib\ log4j-core-2.13.3.jar.

To update this jar, follow below process:

i) Create a new folder For. e.g <UpdatedEARContents> and run below command in that folder -
jar xvf <installation_dir\applicationServer\standalone\deployments>\bankrechner.ear
Note: This would extract contents of EAR in the new folder.

ii) Update log4j jar - Go to<UpdatedEARContents>\ APP-INF\lib\ log4j-core-2.13.3.jar and update it following Step 4.

iii) Go to <UpdatedEARContents> and run below command:
jar cvf bankrechner.ear *

Note: This will repackage the updated jar in the ear.

iv) Replace the above bankrechner.ear in below folder -
<installationDir>/applicationServer/standalone/deployments

v) Delete bankrechner.deployed file from <installationDir>/applicationServer/standalone/deployments

Step 4: Remove vulnerable classes from log4j v2.

For each .jar file reported at the previous step use zip program to remove class JndiLookup.class and JndiManager.class

zip -q -d <jar_file> "org/apache/logging/log4j/core/lookup/JndiLookup.class"

zip -q -d <jar_file> "org/apache/logging/log4j/core/net/JndiManager.class"

For each .jar file reported at previous step verify if the classes were removed properly

unzip -l <jar file> | grep JndiLookup.class

unzip -l <jar file> | grep JndiManager.class

Step 5: Remove vulnerable classes from log4j v1.

For each .jar file reported at the previous step use zip program to remove following vulnerable classes:

zip -q -d <jar_file> "org/apache/log4j/net/SocketServer.class"
zip -q -d <jar_file> "org/apache/log4j/net/SocketAppender.class"
zip -q -d <jar_file> "org/apache/log4j/net/SocketHubAppender.class"
zip -q -d <jar_file> "org/apache/log4j/net/SimpleSocketServer.class"
zip -q -d <jar_file> "org/apache/log4j/net/JMSAppender.class"

For each .jar file reported at previous step verify if the classes were removed properly

unzip -l <jar_file> grep SocketServer.class
unzip -l <jar_file> grep SocketAppender.class
unzip -l <jar_file> grep SocketHubAppender.class
unzip -l <jar_file> grep SimpleSocketServer.class
unzip -l <jar_file> grep JMSAppender.class

Step 6: Start EBICS gateway.

WINDOWS:

Step 1: Stop EBICS Gateway

Step 2: Go in EBICS Gateway installation folder

cd <install_dir>

Step 3:
log 4j libraries need to be updated on below locations to remove vulnerable classes:

a) program\tool\lib\ - jar - To update follow Step 5.
b) program\tool\lib\ - log4j-core.jar – To update follow Step 4.
c) applicationServer\modules\org\apache\activemq\ra\main\ - log4j-core.jar - To update follow Step 4.

d) applicationServer\standalone\deployments\bankrechner.ear\APP-INF\lib - log4j-core-2.13.3.jar - To update follow Step 4.
Note: Use 7-zip to open bankrechner.ear

Step 4: Remove vulnerable classes from log4j v2.

For each log4j-core file reported at previous step open the jar file in a zip manager tool(like 7-Zip) and remove classes:

  • org/apache/logging/log4j/core/lookup/JndiLookup.class
  • org/apache/logging/log4j/core/net/JndiManager.class

Step 5: Remove vulnerable classes from log4j v1.

For each log4j file reported at previous step open the jar file in a zip manager tool(like 7Zip) and remove classes:

  • org/apache/log4j/net/SocketServer.class
  • org/apache/log4j/net/SocketAppender.class
  • org/apache/log4j/net/SocketHubAppender.class
  • org/apache/log4j/net/SimpleSocketServer.class
  • org/apache/log4j/net/JMSAppender.class

Step 6: Start EBICS Gateway

Long term solution

The service pack 3.5 SP4 that upgrade to the version 2.17.1 of Apache Log4j has been released on 04th of January 2022.

ProductEBICS GatewayVersion3.4ImpactThere is no evidence of the vulnerability to the CVE-2021-44228
Additional Notes

The impacts on Passport, Secure Relay and Sentinel are explained in the following pages:

Log4J Version1.2.15
MitigationThe code reported as vulnerable is not present. At the moment, there is no evidence to show that Log4j version 1.2.15 is vulnerable to the CVE-2021-44228. Moreover the JMS Appender is not used..
Long term solutionUpgrade to the EBICS Gateway version 3.5.
ProductEBICS GatewayVersion3.3.0ImpactThere is no evidence of the vulnerability to the CVE-2021-44228
Additional Notes

The impacts on Passport, Secure Relay and Sentinel are explained in the following pages :

Log4J Version1.2.15
MitigationThe code reported as vulnerable is not present. At the moment, there is no evidence to show that Log4j version 1.2.15 is vulnerable to the CVE-2021-44228. Moreover the JMS Appender is not used.e.
Long term solutionUpgrade to the EBICS Gateway version 3.5.
ProductEBICS GatewayVersion3.2.2ImpactThere is no evidence of the vulnerability to the CVE-2021-44228
Additional Notes

The impacts on Passport, Secure Relay and Sentinel are explained in the following links

Log4J Version1.2.15
MitigationThe code reported as vulnerable is not present. At the moment, there is no evidence to show that Log4j version 1.2.15 is vulnerable to the CVE-2021-44228. Moreover the JMS Appender is not used.
Long term solutionUpgrade to the EBICS Gateway version 3.5.
ProductElectronic Signature Version2.13ImpactThere is no evidence of the vulnerability to the CVE-2021-44228 issue
Additional Notes

The impacts on Passport, Secure Relay and Sentinel are explained in the following pages:

Log4J Version1.2.17
Mitigation

Mitigations for Electronic Signature 2.13

  • Linux: zip/unzip linux commands need to be available.
  • Windows: 7Zip available (or equivalent WinZip, Winrar,….etc)

Important notes:

  • If any service pack or upgrade pack is applied the procedure needs to be redone. This is valid also for new product installations.
  • Mandatory : Please backup the installation folder before doing the advised changes in a place outside the installation.

LINUX/UNIX

Step 1: Stop Electronic Signature

Step 2: Go in Electronic Signature installation folder

cd <install_dir>

Step 3: Find all log4j v1 jar files in current folder using a command like:

find . -name 'log4j-1.2.*.jar'
find . -name 'log4j.jar'

Step 4: Remove vulnerable classes from log4j v1.

For each .jar file reported at the previous step use zip program to remove following vulnerable classes:

zip -q -d <jar_file> "org/apache/log4j/net/SocketServer.class"
zip -q -d <jar_file> "org/apache/log4j/net/SocketAppender.class"
zip -q -d <jar_file> "org/apache/log4j/net/SocketHubAppender.class"
zip -q -d <jar_file> "org/apache/log4j/net/SimpleSocketServer.class"
zip -q -d <jar_file> "org/apache/log4j/net/JMSAppender.class"

For each .jar file reported at previous step verify if the classes were removed properly:

unzip -l <jar_file> grep SocketServer.class
unzip -l <jar_file> grep SocketAppender.class
unzip -l <jar_file> grep SocketHubAppender.class
unzip -l <jar_file> grep SimpleSocketServer.class
unzip -l <jar_file> grep JMSAppender.class

Step 6: Start Electronic Signature.

WINDOWS

Step 1: Stop Electronic Signature

Step 2: Go in Electronic Signature installation folder

cd <install_dir>

Step 3: Find all log4j v1 jar files in current folder, for example by using a command like:

dir /b /s log4j-1.2.*.jar

dir /b /s log4j.jar

Step 4: Remove vulnerable classes from log4j v1.

For each log4j file reported at previous step open the jar file in a zip manager tool(like 7Zip) and remove classes:

  • org/apache/log4j/net/SocketServer.class
  • org/apache/log4j/net/SocketAppender.class
  • org/apache/log4j/net/SocketHubAppender.class
  • org/apache/log4j/net/SimpleSocketServer.class
  • org/apache/log4j/net/JMSAppender.class

Step 6: Start Electronic Signature

Long term solution

A service pack that upgrade to the version 2.17.1 or greater of Apache Log4j will be released as soon as possible.

The release date is set to beginning of February 2022.

ProductElectronic Signature Version2.12ImpactThere is no evidence of the vulnerability to the CVE-2021-44228 issue
Additional Notes

The impacts on Passport, Secure Relay and Sentinel are explained in the following pages:

Log4J Version1.2.17
MitigationThe code reported as vulnerable is not present. At the moment, there is no evidence to show that Log4j version 1.2.17 is vulnerable to the CVE-2021-44228. Moreover the JMS Appender is not used.e
Long term solutionUpgrade to the Electronic Signature version 2.13.
ProductElectronic Signature Version2.10.3Impact

There is no evidence of the vulnerability to the CVE-2021-44228 issue

Additional Notes

The impacts on Passport, Secure Relay and Sentinel are explained in the following pages.

Log4J Version1.2.17
MitigationThe code reported as vulnerable is not present. At the moment, there is no evidence to show that Log4j version 1.2.17 is vulnerable to the CVE-2021-44228. Moreover the JMS Appender is not used.e
Long term solutionUpgrade to the Electronic Signature version 2.13.
ProductElectronic Signature Version2.9.2Impact

There is no evidence of the vulnerability to the CVE-2021-44228 issue

Additional Notes

The impacts on Passport, Secure Relay and Sentinel are explained in the following pages.

Log4J Version1.2.17
MitigationThe code reported as vulnerable is not present. At the moment, there is no evidence to show that Log4j version 1.2.17 is vulnerable to the CVE-2021-44228. Moreover the JMS Appender is not used.e
Long term solutionUpgrade to the Electronic Signature version 2.13.
ProductEBICS ClientVersion1.1Impact

There is no evidence of the vulnerability to the CVE-2021-44228 issue

Additional Notes

The impacts on Secure Relay and Sentinel are explained in the following pages.

Log4J Version1.2.17
1.2.15(Runtime)
MitigationA service pack that upgrade to the version 2.17.1 or greater of Apache Log4j will be released.
Long term solution

A service pack that upgrade to the version 2.17.1 or greater of Apache Log4j will be released.

The release date is set to end of January 2022.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.