Skip to main content
Kofax

ShareScan and Log4j vulnerability (CVE-2021-44228)

Article # 3037090 - Page views: 3402

Question:

Is ShareScan affected by the published Log4j vulnerability (CVE-2021-44228)?

Answer: 

The Kofax eCopy ShareScan v6.4 and v6.5 web component is affected by the log4j vulnerability described in CVE-2021-44228.

- Kofax eCopy ShareScan Web Components uses Log4j (v2.13.3) library.

Since CVE-2021-44228 is about versions between 2.0 and 2.14.1 (inclusive) only ShareScan v6.4.0.0-2.xxx and ShareScan v6.5 release version. affected with this vulnerability

The older versions

  • v5.x,
  • v6.1,
  • v6.2
  • v6.3

are not impacted with CVE-2021-44228 vulnerability.

Offical Fix for Kofax eCopy ShareScan v6.4 to install FixPack3 (https://delivery.kofax.com/Downloads/Files?PackageId=1492)

Offical Fix for Kofax eCopy ShareScan v6.5 to install FixPack1 (https://delivery.kofax.com/Downloads/Files?PackageId=1543)

In case Canon and Ricoh devices which are JAR based ShareScan client used.
Web components are not necessary. The ShareScan server is not affected with ShareScan v6.4 and v6.5 in case web components are not installed.
However devices can still use Log4j libraries for logging. Please contact with the vendor [Canon, Ricoh] in this matter.

Only Canon or Ricoh devices are connected to ShareScan v6 server and Apache Tomcat is present in Kofax eCopy ShareScan server.
Apache Tomcat can be removed.
Remove Apache Tomcat
 

The following workaround can be applied ONLY for ShareScan v6.4.0.0-2.xxx and ShareScan v6.5 release version.

Workaround:

Tomcat server in ShareScan is not a public available web server, the eCopy ShareScan web client does not use JNDI, JMSAppender, and a non-default Pattern Layout with a Context Lookup and uses almost the latest JRE which ensures JNDI not to load remote code using LDAP.

The other mitigation option to remove the JndiLookup class from the classpath as described on the https://logging.apache.org/log4j/2.x/security.html site can be applied as a workaround for CVE-2021-44228, but this does not mitigate other newer log4j 2.x vulnerabilities.

Therefore we rather recommend as workaround the manual replace of the log4j libraries to version 2.17.1 under eCopy ShareScan v6.4.0.0-2.xxx and ShareScan v6.5 release version web client if the customer is not willing to install Official Fix for eCopy ShareScan v6.4 FixPack3 or v6.5 FixPack1

For the manual replace of log4j libraries, please, perform the following steps:

1.    Download log4j 2.17.1 binary package from https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip
        Unblock the downloaded apache-log4j-2.17.1-bin.zip file

2.    Extract the downloaded apache-log4j-2.17.1-bin.zip package to a temp folder.  
Only the following files are required form the package:
        log4j-1.2-api-2.17.1.jar
        log4j-api-2.17.1.jar
        log4j-core-2.17.1.jar
        log4j-web-2.17.1.jar

3.    Stop Apache Tomcat 9.0 windows service

4.       Move the following files from the <Apache Tomcat 9 installation folder>\webapps\ShareScan\WEB-INF\lib folder (typically C:\Program Files (x86)\Kofax\Tomcat9\webapps\ShareScan\WEB-INF\lib) to a backup folder:
        log4j-1.2-api-2.13.3.jar
        log4j-api-2.13.3.jar
        log4j-core-2.13.3.jar
        log4j-web-2.13.3.jar

5.       Copy the following files downloaded in the package in Step 1 to the <Apache Tomcat 9 installation folder>\webapps\ShareScan\WEB-INF\lib folder (typically C:\Program Files (x86)\Kofax\Tomcat9\webapps\ShareScan\WEB-INF\lib):
        log4j-1.2-api-2.17.1.jar
        log4j-api-2.17.1.jar
        log4j-core-2.17.1.jar
        log4j-web-2.17.1.jar

6.       Start Apache Tomcat 9.0 windows service

 

 

 

Applies to:  

Product Version
Kofax eCopy ShareScan 6.4.0.1.xxx and 6.4.0.2.xxx
Kofax eCopy ShareScan 6.5.0.0.xxx

 

  • Was this article helpful?