Skip to main content
Support

KB Article #182001

Impact of log4j vulnerabilities on API Gateway Client Tools

Problem

Policy Studio and Configuration Studio do not run as a service and, therefore, are not directly exposed to recently identified log4j vulnerabilities because they have no open ports/inbound connections for malicious requests to get sent to.

However, Axway is taking into account a theoretical situation in which API Gateway Client Tools can pull an attack string and eventually use log4j to read it and to trigger the exploit.

Although there is no actual known/proven scenario of attacking API Gateway Client Tools we recommend customers to apply the Permanent Solution or Mitigation Option described below. The actions described in this article apply to Policy Studio and Configuration Studio, for API Gateway and API Manager please refer to Article ID #181917.

Resolution

Permanent Solution: patches

In API Gateway version 7.7.20220228 (Feb 22) the log4j version was updated to 2.17.1. For previous supported versions of API Gateway Policy Studio patches are available as follows:

Mitigation Option: class removal

This solution consists in removing the JndiLookup.class and JndiManager.class from a number of JAR files within the Client Tools installation:

  1. Close any running instance of Policy Studio and Configuration Studio
  2. Identify log4j-core* JAR files in your Client Tools installation by executing the following commands in the root folder of Client Tools installation :
  3. On Windows:

    dir /b /s log4j-*core*.jar
        

    On Linux:

    find . -iname 'log4j-*core*.jar'
        
  4. If you are working with version 7.7.20211130 or 7.7.20210830 then you also need to locate the apigw-libraries.jar:
  5. On Windows:

    dir /b /s apigw-libraries.jar
        

    On Linux:

    find . -iname 'apigw-libraries.jar'
        
  6. Remove the JndiLookup and JndiManager classes from the log4j-core JAR files identified at point 2, and from the apigw-libraries JAR file identified at point 3 if you are working with a relevant version :
  7. On Windows, for each log4j-core file identified at point 2, open the jar file in a zip manager tool (like 7Zip) and remove the classes: org/apache/logging/log4j/core/lookup/JndiLookup.class and org/apache/logging/log4j/core/net/JndiManager.class

    Additionally, on Windows, if you are working with version 7.7.20211130 or 7.7.20210830, for the apigw-libraries file identified at point 3, open the jar file in a zip manager tool (like 7Zip) and remove the classes: org/apache/logging/log4j/core/lookup/JndiLookup.class and org/apache/logging/log4j/core/net/JndiManager.class


    On Linux, for each log4j-core file identified at point 2, execute:

    zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    zip -q -d log4j-core*.jar org/apache/logging/log4j/core/net/JndiManager.class
        

    Additionally, on Linux, if you are working with version 7.7.20211130 or 7.7.20210830, for the apigw-libraries jar file identified at point 3, one should also execute:

    zip -q -d apigw-libraries.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    zip -q -d apigw-libraries.jar org/apache/logging/log4j/core/net/JndiManager.class