Skip to main content
Kofax

Apache Log4j remote code execution vulnerability

Article # 3036990 - Page views: 515

Issue

CVE-2021-44228 was discovered on 2021-12-10, the question remains which Kofax Communication Server modules are affected by this critical security vulnerability.
More details can be found on the Apache website: https://logging.apache.org/log4j/2.x/security.html

Cause

The Apache Log4j2 RCE vulnerability allows to execute remote code via Log4j's JNDI API which ranked as a critical vulnerability.

 

Solution

There is no risk due to this vulnerability for all supported versions (KCS 10.3, KCS 10.2) of Kofax Import Connnector and Kofax Communication Server.

  • Log4J was removed from our source code on 2019-05-14 (before KCS 10.3/KIC 2.8), so that there is no risk for KCS 10.3 / KIC 2.8 or later.
    Log4J was removed at this time doing some kind of code cleanup for libraries, which were not used anymore for some time (e.g. internally used testing tools)
  • Additionally all code from KCS 10.2 was checked without any indication that Log4j is used. There is also no indication that Log4j is used in KIC 2.6 or higher.
  • KCS Line server diagnostics was ported from Java to C long time ago before KCS 10.2 was released and is therefore not affected.

The following older KCS Versions also have been checked and none of them uses Log4J:

  • KCS 9.2
  • KCS 10.0.1
  • KCS 10.1.1

 

Powershell Scripts to detect potential Log4j on windows machines can be found on GitHub for example:

https://github.com/JoranSlingerland/Log4jScanner
https://github.com/Maelstromage/Log4jSherlock

Applies to the following KCS modules:

None

 

Level of Complexity 

High

 

Applies to  

Product Version Build Environment Hardware
All All All Java n/a
  • Was this article helpful?