Problem

Policy Studio and Configuration Studio do not run as a service and, therefore, are not directly exposed to recently identified log4j vulnerabilities because they have no open ports/inbound connections for malicious requests to get sent to.

However, Axway is taking into account a theoretical situation in which API Gateway Client Tools can pull an attack string and eventually use log4j to read it and to trigger the exploit.

Although there is no actual known/proven scenario of attacking API Gateway Client Tools we recommend customers to apply the Permanent Solution or Mitigation Option described below. The actions described in this article apply to Policy Studio and Configuration Studio, for API Gateway and API Manager please refer to Article ID #181917.

Resolution

Permanent Solution: patches

In API Gateway version 7.7.20220228 (Feb 22) the log4j version was updated to 2.17.1. For previous supported versions of API Gateway Policy Studio patches are available as follows:

• 7.7 November 21: API Gateway 7.7.20211130 Policy Studio Patch 27120
• 7.7 August 21: API Gateway 7.7.20210830 Policy Studio Patch 26348
• 7.7 May 21: API Gateway 7.7.20210530 Policy Studio Patch 26349
• 7.7 March 21: API Gateway 7.7.20210330 Policy Studio Patch 26350
• 7.7 November 20: API Gateway 7.7.20201130 Policy Studio Patch 26351

Mitigation Option: class removal

This solution consists in removing the JndiLookup.class and JndiManager.class from a number of JAR files within the Client Tools installation:

1. Close any running instance of Policy Studio and Configuration Studio
2. Identify log4j-core* JAR files in your Client Tools installation by executing the following commands in the root folder of Client Tools installation :

On Windows:

dir /b /s log4j-*core*.jar
    

On Linux:

find . -iname 'log4j-*core*.jar'
    

3. If you are working with version 7.7.20211130 or 7.7.20210830 then you also need to locate the apigw-libraries.jar:

On Windows:

dir /b /s apigw-libraries.jar
    

On Linux:

find . -iname 'apigw-libraries.jar'
    

4. Remove the JndiLookup and JndiManager classes from the log4j-core JAR files identified at point 2, and from the apigw-libraries JAR file identified at point 3 if you are working with a relevant version :

On Windows, for each log4j-core file identified at point 2, open the jar file in a zip manager tool (like 7Zip) and remove the classes: org/apache/logging/log4j/core/lookup/JndiLookup.class and org/apache/logging/log4j/core/net/JndiManager.class

Additionally, on Windows, if you are working with version 7.7.20211130 or 7.7.20210830, for the apigw-libraries file identified at point 3, open the jar file in a zip manager tool (like 7Zip) and remove the classes: org/apache/logging/log4j/core/lookup/JndiLookup.class and org/apache/logging/log4j/core/net/JndiManager.class





On Linux, for each log4j-core file identified at point 2, execute:

zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d log4j-core*.jar org/apache/logging/log4j/core/net/JndiManager.class
    

Additionally, on Linux, if you are working with version 7.7.20211130 or 7.7.20210830, for the apigw-libraries jar file identified at point 3, one should also execute:

zip -q -d apigw-libraries.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d apigw-libraries.jar org/apache/logging/log4j/core/net/JndiManager.class