Skip to main content
Support

KB Article #181955

Impact and resolution of CVE-2021-44228 (Log4Shell) in Amplify

Axway Engineering has confirmed that Amplify SaaS services are NOT vulnerable


Context


A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Amplify platform.


Details:


Amplify Central / Unified Catalog
Amplify Central and Unified Catalog do not use log4j and are not vulnerable.

Amplify repository

Amplify repository is not vulnerable based on feedback from JFrog: https://jfrog.com/knowledge-base/general-jfrog-ser...

Amplify Analytics

Fix is being deployed in production (Europe and US) December 16th

AxwayID

RedHat Single Sign-On 7 is affected by CVE-2021-4104. Statement from RedHat: https://access.redhat.com/security/cve/CVE-2021-4104 however AxwayID is not affected because:

  1. JMS appender is not configured for use.
  2. Changing the logging configuration is restricted to AGO.

Application Integration

Application Integration is not vulnerable as documented separately at https://support.axway.com/kb/181965


Products deployed on customer environment


Products below have no java code so are not using log4j and are not vulnerable:


Agents

Agents are written in golang.

CLI

CLI is written in node.js.