Skip to main content
Kofax

Kofax RPA CVE-2021-44228 log4j Security Exploit Information

Article # 3036972 - Page views: 7414

Issue

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Following this, CVE-2021-45046 was logged because it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. A new fix was included in Log4j 2.16.

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Solution

The following table lists the RPA versions and components affected by the Log4j vulnerabilities:

 

  ManagementConsole, RoboServer, Design Studio Robot File System Desktop Automation Service
v10.6 and Earlier Not affected (doesn't use Log4j2) Not affected (doesn't use Log4j2) Not affected (doesn't use Log4j2)
v10.7 Not affected (doesn't use Log4j2) Affected Not affected (doesn't use Log4j2)
v11.0 Not affected (doesn't use Log4j2) Affected Not affected (doesn't use Log4j2)
v11.1 Affected Affected Not affected (doesn't use Log4j2)
v11.2 Affected Affected Not affected (doesn't use Log4j2)

RPA version 11.2.0.7 contains the fixed log4j2 version (log4j2.17.1).

If an upgrade is not possible (at this time), Kofax recommends replacing the log4j jar files used in RPA with the fixed versions released by Apache in the affected versions. These can be downloaded from:

Apache: https://logging.apache.org/log4j/2.x/download.html (download binaries)

or from

Maven Repository: https://mvnrepository.com/artifact/org.apache.logging.log4j

Please download the file corresponding to your version from the list below and follow the steps to replace the files in the RPA components you use (you can also find here exactly which jar files you need to download):

Replace-jars-RPA-10.7.0.x.txt

Replace-jars-RPA-11.0.0.x.txt

Replace-jars-RPA-11.1.0.x.txt

Replace-jars-RPA-11.2.0.x.txt

product_documentation_-_user_guides_Important-Icon.png

DO NOT replace the log4j v1.x jar files with log4j v2.x jar files in the RPA versions 11.0 and earlier.

These versions were only tested with log4j v1.x and do not support log4j v2.x.

If your environment needs to be upgraded to use log4j v2.x then the RPA version should be upgraded to v11.2 first (this version supports log4j v2.x and the latest fix pack uses log4j v2.17.1)

Docker deployments

To replace the files in a Docker environment, follow one of the methods below:

Method1: Make a new layer on top of the already created images to remove the old files and add the new

Method2: Replace the files in a running container (e.g. using a shell) and then restart the container

Alternative Option

The behavior can be mitigated by setting the java parameter log4j2.formatMsgNoLookups to "true". In Kofax RPA this can be accomplished by following these steps:

For RoboServer, Design Studio or Management Console in embedded mode:

- open common.conf file from the <Kofax RPA installation folder>\bin for editing
- add an additional java parameter:

wrapper.java.additional.<n>=-Dlog4j2.formatMsgNoLookups=true

<n> - the next available id for an additional parameter. e.g. wrapper.java.additional.9=-Dlog4j2.formatMsgNoLookups=true

- save common.conf
- restart RoboServer

For Management Console deployed into stand-alone Tomcat:

- open log4j2.properties from under Tomcat in webapps\ManagementConsole\WEB-INF\classes
- add this line:

formatMsgNoLookups=true

- save log4j2.properties
- restart Tomcat (or at least the ManagementConsole application)

For Robot File System (RFS):

- open log4j2.properties from under Tomcat in webapps\rfs\WEB-INF\classes
- add this line:

formatMsgNoLookups=true

- save log4j2.properties
- restart Tomcat (or at least the rfs application)

 

Level of Complexity 

Easy

 

Applies to  

Product Version Build Environment Hardware
RPA All      
  • Was this article helpful?