Context

A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.

Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en

The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in SecureRelay.

This article also provides recommendations for product versions still using log4j 1.x, which has received additional scrutiny and is known to be impacted by CVE-2019-17571 and CVE-2021-4104.

Note

All products and versions mentioned in this article are not affected by the log4j 1.x attack vectors as they do not use neither SocketServer nor JMSAppender. The Socket and JMS Appenders are not part of the standard product configuration and are not supported features.

Permanent Solution

Permanent solution: Use log4j version 2.17 or higher. All supported product versions potentially impacted by CVE-2021-44228 will issue updates to include log4j 2.17 or higher.

Mitigation

Important

As of 12/18/2021 a new vulnerability has been exposed in all log4j 2.x <= 2.16 (CVE-2021-45105). None of the products and versions listed in this section are impacted by this issues as the do not use Context Lookups as part of the log4j configuration

org.apache.log4j.net.JMSAppender
org.apache.log4j.net.SocketServer
org.apache.log4j.net.SocketAppender
org.apache.log4j.net.SocketHubAppender
org.apache.log4j.net.SimpleSocketServer

zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class