Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Sentinel

Impacted Products

The impact derives from the use of Apache log4j within the products and all log4j versions between and including 2.0 and 2.14.1 are impacted. Some variations in impact exist based on the exact log4j and JRE version.

• Sentinel 4.2.0

Editor Information

Sentinel 4.2.0 SP22 to SP25 deliver log4j v2.13.3.

Before SP22, log4j1 was used. Log4j1 was also used on older Sentinel versions (now EOS), like Sentinel 4.1. In log4j1 the code reported as vulnerable by CVE-2021-44228 is not present, but we have updated information that log4j1 can be vulnerable related to other CVEs. For now these have been confirmed: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://access.redhat.com/security/cve/CVE-2021-4104. As log4j is nowadays exposed to exploiting their vulnerabilities, we recommend removing the vulnerable classes from log4j libraries.

Resolution

Permanent Solution

We are closely monitoring the situation regarding log4j vulnerabilities and advise you to check the KB for updates weekly.

If new issues are being discovered, actions will be taken according to the associated severity of the vulnerability, starting with the assessment of how/if the product is affected.

In case of critical or high vulnerability (CVSS score 7.0 or higher), immediate action will be taken: mitigation will be offered or a Patch will be planned.

If newer log4j versions are released after 2.17, containing additional security fixes, the next Service Pack will include the latest available around delivery time.

Editor Information

The plan is to upgrade to log4j 2.17 on version 4.2.0.

This fix is already available in SP25 Patch2 (published on December 22, 2021). https://support.axway.com/en/downloads/download-de...

The same fix will be delivered in Sentinel 4.2.0 SP26, target date February 28, 2022.

Mitigations

• Linux: zip and unzip linux commands need to be available.
• Windows: 7Zip available (or equivalent WinZip, Winrar,….etc)

Important notes

• If any service pack or upgrade pack is applied the procedure needs to be redone. This is valid also for new product installations.
• please backup all the files you are advise to change/remove in a place mandatory outside the installation

LINUX/UNIX

Step 1: Stop Sentinel

Step 2: Go in Sentinel installation folder

cd <install_dir>/Sentinel

NOTE: You need to perform Step 3, 4 and 5 if using Sentinel 4.2.0 SP22 or higher.

Step 3: Find all log4j-core v2 jar files in current folder using a command like:

find. -name 'log4j-*core*.jar'

You can ignore the encounters you find in the /synInstall folder, there is no need to alter those jars.

Step 4: Remove vulnerable classes from log4j v2.

For each .jar file reported at the previous step use zip program to remove class JndiLookup.class and JndiManager.class

Step 5: For each .jar file reported at previous step verify if the classes were removed properly

NOTE: You need to perform Step 6, 7 and 8 if you are using Sentinel 4.2.0 with any Service Pack level, as well as older (EOS) versions of Sentinel.

Step 6: Find all log4j v1 jar files in current folder using a command like:

find. -name 'log4j-1.2.*.jar'

You can ignore the encounters you find in the /synInstall folder, there is no need to alter those jars.

Step 7: Remove vulnerable classes from log4j v1.

For each .jar file reported at the previous step use zip program to remove following vulnerable classes:

Step 8: For each .jar file reported at previous step verify if the classes were removed properly

Step 9: Start Sentinel.

WINDOWS

Step 1: Stop Sentinel

Step 2: Go in Sentinel installation folder

cd <install_dir>/Sentinel

NOTE: You need to perform Step 3 and Step 4 if using Sentinel 4.2.0 SP22 or higher.

Step 3: Find all log4j-core v2 jar files in current folder, for example by using a command like:

dir /b /s log4j-*core*.jar

You can ignore the encounters you find in the /synInstall folder, there is no need to alter those jars.

Step 4: Remove vulnerable classes from log4j v2.

For each log4j-core file reported at previous step open the jar file in a zip manager tool(like 7Zip) and remove classes:

• org/apache/logging/log4j/core/lookup/JndiLookup.class
• org/apache/logging/log4j/core/net/JndiManager.class

NOTE: You need to perform Step 5 and Step 6 if you are using Sentinel 4.2.0 with any Service Pack level, as well as older (EOS) versions of Sentinel.

Step 5: Find all log4j-core v1 jar files in current folder, for example by using a command like:

dir /b /s log4j-1.2.*.jar

You can ignore the encounters you find in the /synInstall folder, there is no need to alter those jars.

Step 6: Remove vulnerable classes from log4j v1.

For each log4j file reported at previous step open the jar file in a zip manager tool(like 7Zip) and remove classes:

• org/apache/log4j/net/SocketServer.class
• org/apache/log4j/net/SocketAppender.class
• org/apache/log4j/net/SocketHubAppender.class
• org/apache/log4j/net/SimpleSocketServer.class
• org/apache/log4j/net/JMSAppender.class

Step 7: Start Sentinel