CVE-2021-44228 was discovered on 2021-12-10, the question remains which Kofax Communication Server modules are affected by this critical security vulnerability.
More details can be found on the Apache website: https://logging.apache.org/log4j/2.x/security.html
The Apache Log4j2 RCE vulnerability allows to execute remote code via Log4j's JNDI API which ranked as a critical vulnerability.
There is no risk due to this vulnerability for all supported versions (KCS 10.3, KCS 10.2) of Kofax Import Connnector and Kofax Communication Server.
- Log4J was removed from our source code on 2019-05-14 (before KCS 10.3/KIC 2.8), so that there is no risk for KCS 10.3 / KIC 2.8 or later.
Log4J was removed at this time doing some kind of code cleanup for libraries, which were not used anymore for some time (e.g. internally used testing tools)
- Additionally all code from KCS 10.2 was checked without any indication that Log4j is used. There is also no indication that Log4j is used in KIC 2.6 or higher.
- KCS Line server diagnostics was ported from Java to C long time ago before KCS 10.2 was released and is therefore not affected.
The following older KCS Versions also have been checked and none of them uses Log4J:
- KCS 9.2
- KCS 10.0.1
- KCS 10.1.1
Powershell Scripts to detect potential Log4j on windows machines can be found on GitHub for example:
Applies to the following KCS modules:
Level of Complexity