Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Central Governance.

We have updated information that log4j1 can be vulnerable related to other CVEs. For now, this has been confirmed in https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://access.redhat.com/security/cve/CVE-2021-4104. Therefore, we recommend removing the vulnerable classes from the log4j libraries.

These are: SocketServer.class, SocketAppender.class, SocketHubAppender.class, SimpleSocketServer.class, JMSAppender.class

Mitigation

1. Stop product

2. Remove specified classes for log4j-1.*.jar. It’s recommended to backup them first. The backup is manadatory to be outside the CG installation folder.

a. Sample for Linux distributions:

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketServer.class

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketAppender.class

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketHubAppender.class

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SimpleSocketServer.class

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/JMSAppender.class

b. For Window distributions you will need to use a zip manager tool (like 7Zip) to remove specified classes.

3. Repeat the above steps for all the following locations:

a. <CG_INSTALL>/runtime/com.axway.nodes.passport_node2/passport/api/lib/log4j-1.2.15.jar

b. <CG_INSTALL>/runtime/com.axway.nodes.passport_node2/passport/lib/log4j-1.2.15.jar

c. <CG_INSTALL>/runtime/com.axway.nodes.ume_node5/data/repository/org/ops4j/pax/logging/pax-logging-service/1.7.0/pax-logging-service-1.7.0.jar

d. <CG_INSTALL>/runtime/com.axway.nodes.ume_node5/data/repository/com/axway/cmp/passportproxy/passportproxy-impl/xxx/passportproxy-impl-xxx.jar

For this occurrence please extract /META-INF/embedded/log4j-1.2.15.jar form the above specified location, remove classes from jar and replace the modified log4j-1.2.15.jar in the same location.

4. Delete the cache folder from the UME node:

<CG_INSTALL>/CentralGovernance/runtime/com.axway.nodes.ume_node5/.temp

5. Restart the product

If any CG service pack or upgrade pack is applied or removed, the procedure needs to be redone.