KB Article #181943

Impact and resolution of CVE-2021-44228 (Log4Shell) in Passport

Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Passport.


We have updated information that log4j1 can be vulnerable related to other CVEs. For now this has been confirmed in https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://access.redhat.com/security/cve/CVE-2021-4104. Therefore, we recommend removing the vulnerable classes from the log4j libraries.

These are: SocketServer.class, SocketAppender.class, SocketHubAppender.class, SimpleSocketServer.class, JMSAppender.class


Mitigation

1. Stop product

2. Remove specified classes for log4j-1.*.jar. It’s recommended to backup them first.

a. Sample for Linux distributions:

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketServer.class

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketAppender.class

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketHubAppender.class

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SimpleSocketServer.class

zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/JMSAppender.class

b. For Window distributions you will need to use a zip manager tool (like 7Zip) to remove specified classes.

3. Repeat the above steps for all the following locations or any other locations you might find log4j-1.*:

a. <PASSPORT_INSTALL>/webapps/ui/log4j-1.2.15.jar

b. <PASSPORT_INSTALL>/lib/log4j-1.2.15.jar

c. <PASSPORT_INSTALL>/api/lib/log4j-1.2.15.jar

4. Restart the product


If any service pack or upgrade pack is applied or removed, the procedure needs to be redone.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.