Log4J Security Exploit CVE-2021-44228 Does Not Affect Kofax Front Office Server
Issue
CVE-2021-44228 reports a security vulnerability in Apache Log4j2 versions 2.10 - 2.14.1. This vulnerability has been mitigated in Log4J2 version 2.15 and higher.
JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Solution
Kofax Front Office Server does not use or install any version of Log4J2. Therefore, it is not affected by the vulnerability in the Log4J2 libraries reported in CVE-2021-44228.
There is a similar vulnerability also identified in Log4J version 1: CVE-2021-4104. However, it affects only applications that use JMSAppender. Kofax Front Office Server is not impacted by this, as it does not use the JMSAppender.
The use of the Log4J libraries are limited to the Kofax Ricoh SDK/Java Client and the Kofax Ricoh Android Client Registration Utility.
The following Log4J versions are used in the Kofax Front Office Server Kofax Ricoh SDK/Java Client and the Kofax Ricoh Android Client Registration Utility:
- KFS 4.3 Ricoh SDK/Java Client:
log4j 1.2.8 and log4j 1.2.17
- KFS 4.3 Ricoh Android Client Registration Utility:
log4j 1.2.17
- KFS 4.1 Ricoh SDK/Java Client:
log4j 1.2.8
- KFS 4.1 Ricoh Android Client Registration Utility:
log4j 1.2.17
Level of Complexity
Easy
Applies to
| Product | Version | Build | Environment | Hardware |
|---|---|---|---|---|
| Kofax Front Office Server | 4.3 4.1 |
Ricoh SDK/Java Client | Ricoh MFP Devices |