Skip to main content
Kofax

ProcessIT and CVE-2021-44228

Article # 3037061 - Page views: 42

Issue

CVE-2021-44228 - An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. 

 

Cause

 

From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technolo...-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

 

Solution

According to "NVD - CVE-2021-44228 (nist.gov)," this defect affects log4j versions 2.0.1 up to (but excluding) 2.15.  ProcessIT 7.3 and 7.4 systems, due to their age, had been deployed with version Log4j 1.2.x and therefore not affected.

In order to confirm the log4j version used by weblogic for any version of ProcessIT:

  1.  open the weblogic.log from the processit server and search "log4j". 
  2.  The reference to the log4j jar file exists near the beginning of the log within the classpath.

All versions of internal processit systems are configured to use log4j-1.2.16.

Level of Complexity 

Easy

 

Applies to  

Product Version Build Environment Hardware
ProcessIT 7.3.X      
ProcessIT 7.4.X      

References

Add any references to other internal or external articles

 

  • Was this article helpful?