A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-
Axway is aware of Log4j CVE-
The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-
Axway has tested all versions of Track & Trace and have so far determined Track & Trace to not be impacted by the Log4Shell vulnerability as the code reported as vulnerable is not present.
All products and versions mentioned in this article are not affected by the log4j 1.x attack vectors as they do not use neither SocketServer nor JMSAppender.
As an immediate precaution for Track & Trace versions using log4j 1.x we strongly recommend to remove the following vulnerable classes from log4j libraries:
- Stop the product application
- Open the log4j-1.x jar in a zip manager tool and remove the following classes: It’s recommended to backup log4j-1.x first.
- Restart the product application
Sample for Linux distributions:
- zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketServer.class
- zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketAppender.class
- zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketHubAppender.class
- zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SimpleSocketServer.class
- zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/JMSAppender.class
All supported product Track & Trace versions have been issued updates to use log4j version 2.17.1 or higher which are not impacted by the known vulnerabilities. Please contact Axway Support for assistance in upgrading.