KB Article #181933

Impact and resolution of CVE-2021-44228 (Log4Shell) in AI Suite

Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available, we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

The current article intends to provide technical clarifications and recommendations related to the impact of CVE-2021-44228 on AI Suite components (InterPlay, Datastore, AccountingIntegrator, AI Suite Portal, AI Suite Studio, Composer). This information is the most accurate currently as research and analysis is still ongoing.

Impacted products

The impact derives from the use of Apache log4j within the products. All log4j versions between and including 2.0 and 2.14.1 are impacted.

Products and version

Log4j Version

JRE Version

Impacts

Solution

AI Suite 2.4 lower than SP14

(all components)

2.13.2 AIX 8u05
Others 8u162
You are highly at risk It is important to implement the mitigation procedure to reduce attack surface as soon as possible and apply the permanent solution when available.

AI Suite 2.4 with SP14 or higher

(all components)

2.13.2 AIX 8u221
Others 8u282

You are highly at risk.

It was initially thought that this level of JRE offers some protection, but a workaround has been found since then.

It is important to implement the mitigation procedure to reduce attack surface as soon as possible and apply the permanent solution when available.

AI Suite 2.1-2.2.1-2.3

(All Components)

1.2.17 lower than 8u40 These versions are not affected by log4j Shell vulnerability, but there exist other less critical vulnerabilities. Although the vulnerabilities on this version of log4j shouldn't be exploitable, as the product doesn't embed JMS appender or socketServer, Axway still recommends to its customers to implement the mitigation plan.
Composer 3.8 with latest SP 1.2.15 8u221 These versions are not affected by log4j Shell vulnerability, but there exist other less critical vulnerabilities. Although the vulnerabilities on this version of log4j shouldn't be exploitable as the product doesn't embed JMS appender or socketServer, Axway still recommends to its customers to implement the mitigation plan.

Important precision for customers only using Accounting Integrator Rule Engine. This component isn't affected by this vulnerability, as it does not use Log4J.

  • Only Rule Server module is affected, so there is no risk as long as the tomcat embedded in the infrastructure is not started.
  • There is some internal programs using log4j (such as AITools), but since Rule Engine is not a web application they cannot receive malicious packages.


Mitigation procedure

AI Suite 2.4

Axway recommends the implementation of the following mitigation procedure to reduce the attack surface of the vulnerability. Nevertheless it has been proven that it doesn’t prevent all possible attack patterns. As such, the definitive solution should be implemented as soon as possible.


Procedure for classical installation

You can set the property log4j2.formatMsgNoLookups=true to reduce the attack surface

  1. Locate the installation directory of AI Suite.
  2. Go to your Tomcat directory : \ AIS\Tools\apache-tomcat\
  3. Edit the file startTomcat.bat(sh) and modify the following:
    set JRE_HOME=…
    set JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
    set CATALINA_OPTS=…
    
  4. Restart your tomcat using the modified script.

If you are using Rule Server:

  1. Locate the installation directory of AI Suite.
  2. Go to your Tomcat directory : \AccountingIntegrator\RuleServer\
  3. Edit the file server.bat(sh) and modify the following:

    Add the following variable if doesn't already exist
    export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
    

    in "start" section add
    $JAVA_HOME/bin/java $JAVA_OPTS -cp ...
    
  4. Restart Rule Server using the modified script.

If needed, you can check that the parameter is taken into account by following the next steps:

  1. In a command line, use the command "jps" to list all the JVM processes and retrieve a result like the following:
    ...
    21428 Bootstrap -> (Tomcat)
    12204 Jps
    12222 RuleServer -> (RuleServer)
    
  2. Retrieve the ID corresponding to your process and execute the command jcmd <ID> VM.system_properties
  3. In the list of properties you should see log4j2.formatMsgNoLookups=true


Procedure when using docker

As all our customers with Docker are also using a Kubernetes distribution, we will explain in this chapter how to modify your helm chart to include this new property.

  • For AI Suite Portal, modify the JAVA_OPTS environment variable:
    • kubectl -n aisnamespace edit deployment aisdev-app-portal
    • change
    - name: JAVA_OPTS
          value: -Xms2048M -Xmx2048M -XX:MaxMetaspaceSize=256m -Xverify:none
    
    TO
    - name: JAVA_OPTS                          
          value: -Xms2048M -Xmx2048M -XX:MaxMetaspaceSize=256m -Xverify:none -Dlog4j2.formatMsgNoLookups=true
    
  • for other AIS ${APPLICATIONS}, modify the CATALINA_OPTS environment variable:
    • kubectl -n aisnamespace edit deployment aisdev-app-${APPLICATION}
    • change
    - name: CATALINA_OPTS
          value: -Xms2048M -Xmx2048M -XX:MaxMetaspaceSize=256m -Xverify:none
    
    TO
    - name: CATALINA_OPTS
          value: -Xms2048M -Xmx2048M -XX:MaxMetaspaceSize=256m -Xverify:none -Dlog4j2.formatMsgNoLookups=true
    


AI Suite 2.1/2.2.1/2.3

Linux/Unix

  1. Stop the server
  2. Go in the root install folder and find all log4j jar files using a command like:
    find . -iname 'log4j-*.jar'
    
  3. For each log4j file reported at previous step use a zip program to remove the following classes:
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/JMSAppender.class
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketServer.class
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketAppender.class
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketHubAppender.class
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SimpleSocketServer.class
    
  4. For each jar file you may check that the classes were removed properly:
    unzip -l <jar_file> | grep 'JMSAppender.class\|SocketServer.class\|SocketAppender.class\|SocketHubAppender.class\|SimpleSocketServer.class'
    
  5. Restart the server


Windows

  1. Stop the server
  2. Go in the root install folder and find all log4j jar files using a command like:
    dir /b /s log4j-*.jar
    
  3. For each log4j file open the jar file in a zip manager tool (like 7Zip for example) and remove the following classes:
    • org/apache/log4j/net/JMSAppender.class
    • org/apache/log4j/net/SocketServer.class
    • org/apache/log4j/net/SocketAppender.class
    • org/apache/log4j/net/SocketHubAppender.class
    • org/apache/log4j/net/SimpleSocketServer.class
  4. Restart the server


Composer (all versions, all enablers)

Linux/Unix

  1. Stop the server
  2. Go in the root install folder and find all log4j jar files using a command like:
    find . -iname 'log4j*.jar'
    
  3. For each log4j file reported at previous step use zip program to remove the following classes (Note: the log4j 2.x libs will not have those classes and can be ignored):
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/JMSAppender.class
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketServer.class
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketAppender.class
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketHubAppender.class
    zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SimpleSocketServer.class
    
  4. For each jar file you may check that the classes were removed properly:
    unzip -l <jar_file> | grep 'JMSAppender.class\|SocketServer.class\|SocketAppender.class\|SocketHubAppender.class\|SimpleSocketServer.class'
    
  5. Restart the server


Windows

  1. Stop the server
  2. Go in the root install folder and find all log4j jar files using a command like:
    dir /b /s log4j*.jar
    
  3. For each log4j file open the jar file in a zip manager tool (like 7Zip) and remove the following classes (Note: the log4j 2.x libs will not have those classes and can be ignored):
    • org/apache/log4j/net/JMSAppender.class
    • org/apache/log4j/net/SocketServer.class
    • org/apache/log4j/net/SocketAppender.class
    • org/apache/log4j/net/SocketHubAppender.class
    • org/apache/log4j/net/SimpleSocketServer.class
  4. Restart the server


Definitive solution

Axway has provided as of 16/12/2021, a 2.4 service pack 17 including the latest version 2.16 (released 13 december 2021) of log4j. This fixes the issue definitively. This service pack also incorporates some Critical Patches and hotfixes that were delivered to customers during the last few months to avoid creating any regression on their side. You can find more information on the exact list, within the readme attached to each service pack.


Axway strongly recommends each customer to apply the definitive solution as soon as possible.


The 17th December a new vulnerability (CVE-2021-45105) was raised on the log4J version 2.16 library. This vulnerability can lead do DOS attack when you have patterns of type ${ctx:.....} configured in your property file. Fortunately, it is not the case of AI Suite so we are not vulnerable to this kind of attack. In the future we will plan an upgrade to log4J to version 2.17 in the next service pack to definitively mitigate that, as a normal release.


Cloud Customers

Axway is still working to patch any Axway service that uses the vulnerable component Log4j2. In case Axway becomes aware of unauthorized access to Customer Data, Axway will notify impacted customers without undue delay.

Updates will also be posted to support.axway.com as additional information becomes available.


Linked products

It is possible that your AI Suite implementation depends on some other Axway Products such as Passport, Sentinel or Integrator. You should refer to the related product page for more information: