KB Article #181943
Impact and resolution of CVE-2021-44228 (Log4Shell) in Passport
Context
A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.
Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en
The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Passport.
We have updated information that log4j1 can be vulnerable related to other CVEs. For now this has been confirmed in https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://access.redhat.com/security/cve/CVE-2021-4104. Therefore, we recommend removing the vulnerable classes from the log4j libraries.
These are: SocketServer.class, SocketAppender.class, SocketHubAppender.class, SimpleSocketServer.class, JMSAppender.class
Mitigation
1. Stop product
2. Remove specified classes for log4j-1.*.jar. It’s recommended to backup them first.
a. Sample for Linux distributions:
zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketServer.class
zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketAppender.class
zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketHubAppender.class
zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SimpleSocketServer.class
zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/JMSAppender.class
b. For Window distributions you will need to use a zip manager tool (like 7Zip) to remove specified classes.
3. Repeat the above steps for all the following locations or any other locations you might find log4j-1.*:
a. <PASSPORT_INSTALL>/webapps/ui/log4j-1.2.15.jar
b. <PASSPORT_INSTALL>/lib/log4j-1.2.15.jar
c. <PASSPORT_INSTALL>/api/lib/log4j-1.2.15.jar
4. Restart the product
If any service pack or upgrade pack is applied or removed, the procedure needs to be redone.