CVE-2021-44228 was discovered on 2021-12-10, this affects all installations of KCM 5.3, 5.4 and 5.5.
For KCM 5.3, only Designer for Web is affected, while for KCM 5.4 and 5.5, the Contract Manager and Designer for Web both are affected.
CVE-2021-4104 was discovered on 2021-12-14
CVE-2021-45046 was discovered on 2021-12-15.
CVE-2021-45105 was discovered on 2021-12-16.
These CVE's do not affect KCM.
The Apache Log4j2 RCE vulnerability CVE-2021-44228 allows to execute remote code via Log4j's JNDI API and is ranked as a critical vulnerability.
The Apache Log4j2 vulnerability CVE-2021-45046 and CVE-2021-45105 allow a denial of service (DOS) attack when a non-default Pattern Layout is used in the log4j configuration files. This does not apply to KCM.
A fix is available for all affected versions of KCM. The fix can be downloaded via this link: KCM-188.8.131.52.FIX16646.zip.
The below steps are not required anymore. Instead of applying the below mitigation steps, apply the above fix. The mitigations can be safely removed after applying the above fix.
We suggest all customer to use one of the following ways to mitigate the issue:
- Change the configuration value log4j2.formatMsgNoLookups to true or
- Change the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
To change the config value log4j2.formatMsgNoLookups:
- Open elevated command prompt and run in the bin folder of Tomcat, tomcat<version>w.exe to open the configuration of the KCM Runtime instance.
For example for Tomcat 9:
<Tomcat>\bin\Tomcat9w.exe //ES/<Tomcat instance name>
To retrieve the Tomcat instance name, open services.msc and open the properties of the KCM Apache Tomcat service and check the service name (not the display name). When the properties of a service are opened, the service name is already selected. Example:
C:\Program Files\Apache Software Foundation\Tomcat 9.0\bin\Tomcat9w.exe //ES/Tomcat-KCMRuntime-5.5
For KCM 5.3, you only need to change service Tomcat-WebDesigner-5.3
For KCM 5.4, you need to change Tomcat-WebDesigner-5.4 and Tomcat-CCMRuntime-5.4
For KCM 5.5, you need to change Tomcat-KCMComposer-5.5, Tomcat-KCMRegistration-5.5, Tomcat-KCMRuntime-5.5, Tomcat-KCMDesigner-5.5 and Tomcat-KCMLogServer-5.5.
- On the tab Java, under Java options add the line
- Click Apply and click Ok to close the program. Restart the Tomcat service.
To edit the environment variable:
- Open a command prompt and run
- Under System Variables, add a new variable called "LOG4J_FORMAT_MSG_NO_LOOKUPS" and set its value to "TRUE"
- Click OK, and restart the KCM Tomcat Services.
Level of Complexity
|Kofax Communications Manager||5.3, 5.4 and 5.5||n/a||n/a||n/a|
More details can be found on the Apache website: https://logging.apache.org/log4j/2.x/security.html