KB Article #181981
SECURITY: Impact and resolution of CVE-2021-44228 (Log4Shell) in Secure Client
Context
A 0-day vulnerability in the popular Java logging library, log4j, was published on GitHub along with a POC that shows the possibility of Remote Code Execution (RCE) if log4j logs an attacker-controlled string value, CVE-2021-44228.
Axway is aware of Log4j CVE-2021-44228 and is evaluating its impact on all Axway products. As conclusions and recommendations are available we will be publishing them in the dedicated Alert on support.axway.com: https://support.axway.com/news/1331/lang/en
The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2021-44228 in Secure Client.
Impacted Products
The impact derives from the use of Apache log4j within the products and all log4j versions between and including 2.0 and 2.14.1 are impacted. Some variations in impact exist based on the exact log4j and JRE version.
- Secure Client 6.4
| 6.4 SP2 | v2.13.2 | Adopt Open JDK 11.0.6_10 | Possible impact exists. | SecureClient 6.4 SP3 is available that introduces log4j v2.17.1 and it is the ultimate solution to address the vulnerability. For all versions of Secure Client mitigation solution exists and we recommend it is applied: Mitigation for Linux OS |
Resolution
Permanent Solution
The CVE-2021-44228 vulnerability is solved in log4j version 2.15.
Axway delivered a Service Pack which includes log4j v2.17.1 - Secure Client 6.4 SP3 and it can be downloaded at:
For Secure Client 6.4 versions older than Service Pack 3 customers can rely on mitigation options described below.
Mitigations
Find log4j
Find log4j files, using the following commands:
| Linux | find <INSTALL_PATH>/ -name log4j*.jar |
| Windows | where /r <INSTALL_PATH>\ log4j*.jar |
INSTALL_PATH - should be changed with Secure Client home folder.
Mitigation for Linux OS
For all Secure Client 6.4 lower versions
The log4j_utility_linux.sh script removes the vulnerable classes from log4v2 jar:
<a class="confluence-embedded-file" href="https://support.axway.com/en/articles/download-attachment/hash/81176d163fc5a436c94f0c636780ba3e-1/kb/181981" data-nice-type="null" data-file-src="/download/attachments/317264035/log4j_utillity_linux_v1.1.sh?version=1&modificationDate=1640011547755&api=v2" data-linked-resource-id="317264169" data-linked-resource-type="attachment" data-linked-resource-container-id="317264035" data-linked-resource-default-alias="log4j_utillity_linux_v1.1.sh" data-mime-type="text/x-sh" data-has-thumbnail="false" data-linked-resource-version="1" data-can-edit="false" aria-label="log4j_utillity_linux_v1.1.sh">log4j_utillity_linux_v1.1.sh</a> |
- Stop all Secure Client services (UI, Scheduler and System Tray).
- Execute the following:
./log4j_utility_linux.sh <INSTALL_PATH> 2 |
where:
- INSTALL_PATH - should be changed with Secure Client home folder.
Start all Secure Client services
Mitigation for Windows OS
For all Secure Client 6.4 lower versions
The log4j_utility_windows.ps1 script removes the vulnerable classes from log4v2 jar:
<a class="confluence-embedded-file" href="https://support.axway.com/en/articles/download-attachment/hash/b67a21903be111c7cfae2093f4876d75-1/kb/181981" data-nice-type="null" data-file-src="/download/attachments/317264035/log4j_utility_windows_v1.1.ps1?version=1&modificationDate=1640011539227&api=v2" data-linked-resource-id="317264168" data-linked-resource-type="attachment" data-linked-resource-container-id="317264035" data-linked-resource-default-alias="log4j_utility_windows_v1.1.ps1" data-mime-type="application/octet-stream" data-has-thumbnail="false" data-linked-resource-version="1" data-can-edit="false" aria-label="log4j_utility_windows_v1.1.ps1">log4j_utility_windows_v1.1.ps1</a> |
- Stop all Secure Client services (UI, Scheduler and System Tray).
- Execute the following:
.\log4j_utility_windows <INSTALL_PATH> 2 <7z_INSTALL_FOLDER> |
where:
- INSTALL_PATH - should be changed with Secure Client home folder.
- 7z_INSTALL_FOLDER - should be changed with 7z tool install folder.
Start all Secure Client services.