KB Article #181935
Impact and resolution of CVE-2021-44228 (Log4Shell) in MailGate SC
Context
A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.
Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available, we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en
The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in MailGate SC.
Impacted products
The impact derives from the use of Apache log4j within the products and all log4j versions between and including 2.0 and 2.14.1 are impacted. Some variations in impact exist based on the exact log4j and JRE versions.
| MailGate SC version | Log4j version | JRE version | Impacted? | Solutions |
| 5.6.3 | v1.2.15 v1.2.8 No JNDI connector | 1.8.0_232 | Not known to be affected | Patch 2 was released which addresses the issue by replace Log4j with Logback and SLF4J |
| 5.6.2 | v1.2.15 v1.2.8 No JNDI connector | 1.8.0_232 | Not known to be affected | Patch 14 was released which addresses the issue by replace Log4j with Logback and SLF4J |
| 5.6.1 | v1.2.15 v1.2.8 No JNDI connector | 1.8.0_181 | Not known to be affected | Patch 7 was released which addresses the issue by replace Log4j with Logback and SLF4J |
| 5.6.0 | v1.2.15 v1.2.8 No JNDI connector | 1.8.0_152 | Not known to be affected | EOS 4/30/22 |
| 5.5.4 | v1.2.15 v1.2.8 No JNDI connector | 1.7.0_76 | Not known to be affected | EOS 4/30/22 |