KB Article #182053

Api-transform-1.4.0.jar and log4j vulnerabilities


The current article intends to provide clarifications and recommendations with regards to api-transform-1.4.0.jar present in some installations. Security scanners may identify api-transform-1.4.0.jar and mark it as vulnerable to log4shell vulnerability. The file api-transform-1.4.0.jar contains vulnerable classes (JndiLookup and JndiManager classes) but is not loaded at the start of API Gateway and does not expose the log4shell vulnerability. Analytics has the same jar in 7.7.0, 7.7.SP1 and 7.7.SP2 but is similarly not vulnerable.

The file api-transform-1.4.0.jar was provided only via 7.7 versions: 7.7.0, 7.7.0 SP1, 7.7.0 SP2. Starting with January 2020, the api-transform-1.4.0.jar is removed from installation kits together with the removal of support for RAML https://docs.axway.com/bundle/axway-open-docs/page/docs/apim_relnotes/20200130_apimgr_relnotes/index.html

Newer 7.7 installation kits do not contain api-transform-1.4.0.jar. Older API Gateway versions (7.6.3, 7.5.2) do not contain api-transform-1.4.0.jar but api-transform-1.3.0.jar or earlier may be present. Earlier versions do not contain the vulnerable classes.

You may wish to take action if:

  1. You are still using API Gateway 7.7, 7.7 SP 1, 7.7 SP2
  2. or
  3. You are using an API Gateway 7.7 that was updated from 7.7, 7.7 SP 1, 7.7 SP2

In both cases api-transform-1.4.0.jar may still exist in "apigateway/Linux.x86_64/lib/". By default, this JAR and its classes are not loaded on the instance startup – however since this is no longer used Axway recommends to delete the JAR file.

Impacted products: API Gateway/Manager and API Gateway Analytics versions 7.7, 7.7 SP 1, 7.7 SP2.


1. Determine if api-transform-1.4.0.jar is present on the system:

For APIM: cd ../apigateway/ 
For API Gateway Analytics: cd ../analytics/
find ./ -name log4j-core-*jar

Default location is "apigateway/Linux.x86_64/lib/"

2. If this file is present:

  1. Stop API Gateway
  2. Backup api-transform-1.4.0.jar outside the API Gateway installation and delete it from API Gateway.
  3. Start API Gateway

For more information regarding LOG4J vulnerability please check the following knowledge base: https://support.axway.com/kb/181917/language/n