Kofax TotalAgility and CVE-2021-44228 log4j Security Exploit Information
Issue
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
This issue only impacts KTA 7.10.
Solution
Kofax TotalAgility versions 7.9 or below use log4j version 1, which is not affected by the vulnerability.
In KTA 7.10, the log4j2 library exists in the Kofax Ricoh Android registration tool to install the Kofax Ricoh Android client to the Ricoh Android MFP devices. After installing the Android client to the devices successfully, the registration tool is not used, thus can be removed.
Furthermore, you can use the Web Image Monitor (WIM) provided by the device platform to upload and deploy the Ricoh client to the device. Therefore, you can also delete the tool installed under the following location (default): c:\Program Files\Kofax\TotalAgility\Agility.Server.Web\Resources\Share\MFPClients\ricoh\RicohAndroidRegistration. This will mean the log4j2 libaray will not exist in KTA 7.10.
There is a similar vulnerability also identified in log4j version 1: CVE-2021-4104. However, it affects only applications that use JMSAppender. KTA is not impacted by this, as it does not use the JMSAppender.
Level of Complexity
Easy
Applies to
| Product | Version | Build | Environment | Hardware |
|---|---|---|---|---|
| KTA | 7.10 |
Ricoh SDK/Java Client | Ricoh MFP Devices |