Transact

⌘K
  2. Home
  4. Transact
  6. Release Notes and Softwar...
  8. Log4j Vulnerability

Log4j Vulnerability

*This Knowledge Base article will be updated as more information becomes available.

[Update 5/3/2022] In Transact 2022.1.00, log4j has been updated to version 2.17.1.
[Update 1/3/22] CVE-2021-44832: Apache Log4j2 is vulnerable to remote code execution (RCE) via the JDBC Appender when an attacker controls configuration. The risk associated with this vulnerability is low as JNDI source names are limited in Transact integration.
[Update 12/20/21] Apache announced the CVE-2021-45105 vulnerability related to the Log4j Thread Context Map (MDC). See the CVE-2021-45105 section below for more information.
[Update 12/16/21] Information on security scanning software added.
[Update 12/15/21] Apache announced the second vulnerability in Log4j, CVE-2021-45046, that affected the JndiLookup class. Ephesoft confirmed that the original patched mitigation steps resolve this vulnerability because the patch files do not include the JndiLookup class.
[Update 12/13/21] Information on the handling of log4j-1*.jar added.
[Update 12/11/21 7:15pm PST] All Transact Cloud servers have been patched.
[Update 12/11/21 12:00pm PST] Ephesoft released patched log4j-core-2*.jar files mitigating CVE-2021-44228 and CVE-2021-45046 vulnerabilities.

Issue

On December 10th, 2021, a global and widespread critical vulnerability was discovered in Apache Log4j, an open-source Java package used to enable logging in many popular applications. This vulnerability can be exploited to allow remote code execution on servers. It affects several applications, including Ephesoft Transact.

For more information about this vulnerability, please visit the Apache website.

Mitigation Steps

Transact On-Premise users versions 4.5-2020.1.06:

To apply the patch released by Ephesoft:

  1. Stop the Transact server service.
  2. Locate any log4j-core-2*.jar files in the following directories and rename the JAR extension to BAK. Notate the version of the file as the same patched version. That file will need to be used in its place.
    • [Ephesoft_Directory]\Application\WEB-INF\lib
    • [Ephesoft_Directory]\Dependencies\license-util\libs\stdlibs
    • [Ephesoft_Directory]\EphesoftReports\WEB-INF\lib
    • [Ephesoft_Directory]\JavaAppServer\bin
  3. For the following files that were backed up, download and replace with the patched version from the Customer Support Portal download page. These patched files mitigate CVE-2021-44228 (verified with the CISA Log4j Scanner on January 6th, 2022) and CVE-2021-45046.

Note: If you encounter a log4j-core-2*.jar release version not listed above, please contact support and submit the file for review before starting the vulnerability mitigation process.

  1. Start the Transact server service and verify accessibility.

log4j-1*.jar Files

In older versions of Transact, you may encounter log4j-1*.jar files. These instances of log4j 1.x are not affected by this vulnerability.

CVE-2021-45105

Transact’s implementation of Log4j is not set so that the Thread Context Map (MDC) can be exploited. The risk associated with this vulnerability is low unless the Thread Context Map has been compromised from how Log4j was set up from default. Apache Log4j 2.17 is not compatible with Transact releases.

Reminder: We recommend clients keep up to date with Transact and our Product Support Version Policy to ensure you receive the latest updates. The Log4j security vulnerability will be resolved in our Transact Spring 2022 release.

Security Scanning Software

Security scanning software programs may not do a deep analysis on whether the Log4j vulnerability still exists within the patched files Ephesoft has released. As a result, security scanning software may still alert of the Log4j vulnerability after these patched files are applied. Clients may test the patches for CVE-2021-44228 by using the Log4j Scanner provided by the Cybersecurity and Infrastructure Security Agency (CISA) to confirm that the vulnerability has been resolved.