Kofax TotalAgility and CVE-2022-23307/CVE-2020-9493 Security Exploit Information
Issue
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Solution
Kofax TotalAgility versions 7.9 or below use log4j version 1, which is affected by the vulnerability.
Apache Chainsaw exists in the log4j library in the Kofax Ricoh registration tool and the Kofax Ricoh client for Ricoh MFP devices. After installing the Ricoh client to the devices, the registration tool is not used, and can be removed.
You can delete the Ricoh client in the following location (default): c:\Program Files\Kofax\TotalAgility\Agility.Server.Web\Resources\Share\MFPClients\ricoh. This will mean the log4j library will not exist in your KTA installation.
Furthermore, you can use the Web Image Monitor (WIM) provided by the device platform to upload and deploy the Ricoh client to the device.
In KTA 7.10 the log4j2 library exists in the Kofax Ricoh registration tool to install the Kofax Ricoh client to the Ricoh MFP devices. However, log4j2 does not have the Apache Chainsaw component by default and is not affected by this vulnerability.
Level of Complexity
Easy
Applies to
| Product | Version | Build | Environment | Hardware |
|---|---|---|---|---|
| KTA | 7.9 or below |
Ricoh SDK/Java Client | Ricoh MFP Devices |