KB Article #181939

CVE-2021-44228 (Log4Shell) Automator

Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Automator.


Impacted Products

The impact derives from the use of Apache log4j within the products and all log4j versions between and including 2.0 and 2.14.1 are impacted. Some variations in impact exist based on the exact log4j and JRE version.

  • Automator/Java GUI
    • V3 - log4j V1.x is used. No evidence to show that log4j version 1.x contains this vulnerability.
    • V4 - log4j V1.x is used. No evidence to show that log4j version 1.x contains this vulnerability.
  • Automator/Domain Server
    • V3 - log4j V1.x is used. No evidence to show that log4j version 1.x contains this vulnerability.
    • V4 - log4j V1.x is used. No evidence to show that log4j version 1.x contains this vulnerability.
  • Automator/WEBSRV
    • V3 - log4j V1.x is used. No evidence to show that log4j version 1.x contains this vulnerability.
    • V4 - log4j V1.x is used. No evidence to show that log4j version 1.x contains this vulnerability.
  • Automator/HTML WEBUI
    • V3 - log4j V1.x is used. No evidence to show that log4j version 1.x contains this vulnerability.
    • V4 - log4j V1.x is used. No evidence to show that log4j version 1.x contains this vulnerability.
  • Automator/Core Services
    • V4 - log4j versions used are impacted.


Resolution

No temporary mitigation is proposed for Automator and a permanent solution is being developed.

Permanent Solution

For Automator Core Service, V4.1.3 Patch1 provides a permanent solution by upgrading to log4j V2.16.

For Automator Java GUI, Domain Server, WEBSRV and HTML WEBUI, even if vulnerability is not confirmed, a plan is being studied to move to log4j V2.16. It will be communicated later.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.