Is ShareScan affected by the published Log4j vulnerability (CVE-2021-44228)?
The Kofax eCopy ShareScan v6.4 and v6.5 web component is affected by the log4j vulnerability described in CVE-2021-44228.
- Kofax eCopy ShareScan Web Components uses Log4j (v2.13.3) library.Since CVE-2021-44228 is about versions between 2.0 and 2.14.1 (inclusive) only ShareScan v188.8.131.52-2.xxx and ShareScan v6.5 release version. affected with this vulnerability.
The older versions
are not impacted with CVE-2021-44228 vulnerability.
Offical Fix for Kofax eCopy ShareScan v6.4 to install FixPack3 (https://delivery.kofax.com/Downloads/Files?PackageId=1492)
Offical Fix for Kofax eCopy ShareScan v6.5 to install FixPack1 (https://delivery.kofax.com/Downloads/Files?PackageId=1543)
In case Canon and Ricoh devices which are JAR based ShareScan client used.
Web components are not necessary. The ShareScan server is not affected with ShareScan v6.4 and v6.5 in case web components are not installed.
However devices can still use Log4j libraries for logging. Please contact with the vendor [Canon, Ricoh] in this matter.
Only Canon or Ricoh devices are connected to ShareScan v6 server and Apache Tomcat is present in Kofax eCopy ShareScan server.
Apache Tomcat can be removed.
Remove Apache Tomcat
The following workaround can be applied ONLY for ShareScan v184.108.40.206-2.xxx and ShareScan v6.5 release version.
Tomcat server in ShareScan is not a public available web server, the eCopy ShareScan web client does not use JNDI, JMSAppender, and a non-default Pattern Layout with a Context Lookup and uses almost the latest JRE which ensures JNDI not to load remote code using LDAP.
The other mitigation option to remove the JndiLookup class from the classpath as described on the https://logging.apache.org/log4j/2.x/security.html site can be applied as a workaround for CVE-2021-44228, but this does not mitigate other newer log4j 2.x vulnerabilities.
Therefore we rather recommend as workaround the manual replace of the log4j libraries to version 2.17.1 under eCopy ShareScan v220.127.116.11-2.xxx and ShareScan v6.5 release version web client if the customer is not willing to install Official Fix for eCopy ShareScan v6.4 FixPack3 or v6.5 FixPack1
For the manual replace of log4j libraries, please, perform the following steps:
1. Download log4j 2.17.1 binary package from https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip
Unblock the downloaded apache-log4j-2.17.1-bin.zip file
2. Extract the downloaded apache-log4j-2.17.1-bin.zip package to a temp folder.
Only the following files are required form the package:
3. Stop Apache Tomcat 9.0 windows service
4. Move the following files from the <Apache Tomcat 9 installation folder>\webapps\ShareScan\WEB-INF\lib folder (typically C:\Program Files (x86)\Kofax\Tomcat9\webapps\ShareScan\WEB-INF\lib) to a backup folder:
5. Copy the following files downloaded in the package in Step 1 to the <Apache Tomcat 9 installation folder>\webapps\ShareScan\WEB-INF\lib folder (typically C:\Program Files (x86)\Kofax\Tomcat9\webapps\ShareScan\WEB-INF\lib):
6. Start Apache Tomcat 9.0 windows service
|Kofax eCopy ShareScan||18.104.22.168.xxx and 22.214.171.124.xxx|
|Kofax eCopy ShareScan||126.96.36.199.xxx|