KB Article #181959

Impact and resolution of CVE-2021-44228 (Log4Shell) in Track &Trace

Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com.

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Track & Trace. This article also provides recommendations for product versions still using log4j 1.x, which has received additional scrutiny and is known to be impacted by CVE-2019-17571 and CVE-2021-4104.

Impacted Products

Axway has tested all versions of Track & Trace and have so far determined Track & Trace to not be impacted by the Log4Shell vulnerability as the code reported as vulnerable is not present.

All products and versions mentioned in this article are not affected by the log4j 1.x attack vectors as they do not use neither SocketServer nor JMSAppender.

Resolution

As an immediate precaution for Track & Trace versions using log4j 1.x we strongly recommend to remove the following vulnerable classes from log4j libraries:

  1. Stop the product application
  2. Open the log4j-1.x jar in a zip manager tool and remove the following classes: It’s recommended to backup log4j-1.x first.
    • org/apache/log4j/net/SocketServer.class
    • org/apache/log4j/net/SocketAppender.class
    • org/apache/log4j/net/SocketHubAppender.class
    • org/apache/log4j/net/SimpleSocketServer.class
    • org/apache/log4j/net/JMSAppender.class
  3. Restart the product application


Sample for Linux distributions:

  • zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketServer.class
  • zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketAppender.class
  • zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SocketHubAppender.class
  • zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/SimpleSocketServer.class
  • zip -q -d <LOG4J_PATH>/log4j-1.*.jar org/apache/log4j/net/JMSAppender.class

Permanent Solution

All supported product Track & Trace versions have been issued updates to use log4j version 2.17.1 or higher which are not impacted by the known vulnerabilities. Please contact Axway Support for assistance in upgrading.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.