Kofax RPA CVE-2021-44228 log4j Security Exploit Information
Issue
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Following this, CVE-2021-45046 was logged because it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. A new fix was included in Log4j 2.16.
Solution
The following table lists the RPA versions and components affected by the Log4j vulnerabilities:
ManagementConsole, RoboServer, Design Studio | Robot File System | Desktop Automation Service | |
v10.6 and Earlier | Not affected (doesn't use Log4j2) | Not affected (doesn't use Log4j2) | Not affected (doesn't use Log4j2) |
v10.7 | Not affected (doesn't use Log4j2) | Affected | Not affected (doesn't use Log4j2) |
v11.0 | Not affected (doesn't use Log4j2) | Affected | Not affected (doesn't use Log4j2) |
v11.1 | Affected | Affected | Not affected (doesn't use Log4j2) |
v11.2 | Affected | Affected | Not affected (doesn't use Log4j2) |
RPA version 11.2.0.7 contains the fixed log4j2 version (log4j2.17.1).
If an upgrade is not possible (at this time), Kofax recommends replacing the log4j jar files used in RPA with the fixed versions released by Apache in the affected versions. These can be downloaded from:
Apache: https://logging.apache.org/log4j/2.x/download.html (download binaries)
or from
Maven Repository: https://mvnrepository.com/artifact/org.apache.logging.log4j
Please download the file corresponding to your version from the list below and follow the steps to replace the files in the RPA components you use (you can also find here exactly which jar files you need to download):
DO NOT replace the log4j v1.x jar files with log4j v2.x jar files in the RPA versions 11.0 and earlier.
These versions were only tested with log4j v1.x and do not support log4j v2.x.
If your environment needs to be upgraded to use log4j v2.x then the RPA version should be upgraded to v11.2 first (this version supports log4j v2.x and the latest fix pack uses log4j v2.17.1)
Docker deployments
To replace the files in a Docker environment, follow one of the methods below:
Method1: Make a new layer on top of the already created images to remove the old files and add the new
Method2: Replace the files in a running container (e.g. using a shell) and then restart the container
Alternative Option
The behavior can be mitigated by setting the java parameter log4j2.formatMsgNoLookups to "true". In Kofax RPA this can be accomplished by following these steps:
For RoboServer, Design Studio or Management Console in embedded mode:
- open common.conf file from the <Kofax RPA installation folder>\bin for editing
- add an additional java parameter:
wrapper.java.additional.<n>=-Dlog4j2.formatMsgNoLookups=true
<n> - the next available id for an additional parameter. e.g. wrapper.java.additional.9=-Dlog4j2.formatMsgNoLookups=true
- save common.conf
- restart RoboServer
For Management Console deployed into stand-alone Tomcat:
- open log4j2.properties from under Tomcat in webapps\ManagementConsole\WEB-INF\classes
- add this line:
formatMsgNoLookups=true
- save log4j2.properties
- restart Tomcat (or at least the ManagementConsole application)
For Robot File System (RFS):
- open log4j2.properties from under Tomcat in webapps\rfs\WEB-INF\classes
- add this line:
formatMsgNoLookups=true
- save log4j2.properties
- restart Tomcat (or at least the rfs application)
Level of Complexity
Easy
Applies to
Product | Version | Build | Environment | Hardware |
---|---|---|---|---|
RPA | All |