{"id":50107,"date":"2021-12-10T17:46:45","date_gmt":"2021-12-11T00:46:45","guid":{"rendered":"https:\/\/ephesoft.com\/docs\/?post_type=docs&#038;p=50107"},"modified":"2024-02-02T10:06:52","modified_gmt":"2024-02-02T17:06:52","slug":"log4j-vulnerability","status":"publish","type":"docs","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/","title":{"rendered":"Log4j Vulnerability"},"content":{"rendered":"<p>*This Knowledge Base article will be updated as more information becomes available.<\/p>\n<p><em>[Update 5\/3\/2022] In Transact 2022.1.00, log4j has been updated to version 2.17.1.<br \/>\n[Update 1\/3\/22] <\/em><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-44832\"><em>CVE-2021-44832<\/em><\/a><em>: Apache Log4j2 is vulnerable to remote code execution (RCE) via the JDBC Appender when an attacker controls configuration. The risk associated with this vulnerability is low as JNDI source names are limited in Transact integration.<br \/>\n[Update 12\/20\/21] Apache announced the <\/em><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45105\"><em>CVE-2021-45105<\/em><\/a><em> vulnerability related to the Log4j Thread Context Map (MDC). See the<\/em> <a href=\"#post-50107-_uiqpqqrqp53c\"><em>CVE-2021-45105<\/em><\/a><em> section below for more information.<\/em><br \/>\n<em>[Update 12\/16\/21] Information on security scanning software added.<br \/>\n[Update 12\/15\/21] Apache announced the second vulnerability in Log4j, <\/em><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45046\"><em>CVE-2021-45046<\/em><\/a><em>, that affected the JndiLookup class. Ephesoft confirmed that the original patched mitigation steps resolve this vulnerability because the patch files do not include the JndiLookup class.<br \/>\n[Update 12\/13\/21] Information on the handling of log4j-1*.jar added.<br \/>\n[Update 12\/11\/21 7:15pm PST] All Transact Cloud servers have been patched.<br \/>\n[Update 12\/11\/21 12:00pm PST] Ephesoft released patched log4j-core-2*.jar files mitigating <\/em><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-44228\"><em>CVE-2021-44228<\/em><\/a><em> and <\/em><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45046\"><em>CVE-2021-45046<\/em><\/a><em> vulnerabilities.<\/em><\/p>\n<h2><a id=\"post-50107-_8lfauyt9dzf\"><\/a><strong>Issue<\/strong><\/h2>\n<p>On December 10th, 2021, a global and widespread critical vulnerability was discovered in Apache Log4j, an open-source Java package used to enable logging in many popular applications. This vulnerability can be exploited to allow remote code execution on servers. It affects several applications, including Ephesoft Transact.<\/p>\n<p>For more information about this vulnerability, please visit the <a href=\"https:\/\/logging.apache.org\/log4j\/2.x\/security.html\">Apache<\/a> website.<\/p>\n<h2><a id=\"post-50107-_hq1ii15pcxyz\"><\/a>Mitigation Steps<\/h2>\n<p><strong>Transact On-Premise users versions 4.5-2020.1.06:<\/strong><\/p>\n<p>To apply the patch released by Ephesoft:<\/p>\n<ol>\n<li>Stop the Transact server service.<\/li>\n<li>Locate any log4j-core-2*.jar files in the following directories and rename the JAR extension to BAK. Notate the version of the file as the same patched version. That file will need to be used in its place.\n<ul>\n<li>[<em>Ephesoft_Directory<\/em>]\\Application\\WEB-INF\\lib<\/li>\n<li>[<em>Ephesoft_Directory<\/em>]\\Dependencies\\license-util\\libs\\stdlibs<\/li>\n<li>[<em>Ephesoft_Directory<\/em>]\\EphesoftReports\\WEB-INF\\lib<\/li>\n<li>[<em>Ephesoft_Directory<\/em>]\\JavaAppServer\\bin<\/li>\n<\/ul>\n<\/li>\n<li>For the following files that were backed up, download and replace with the patched version from the <a href=\"https:\/\/support.ephesoft.com\">Customer Support Portal<\/a> download page. These patched files mitigate CVE-2021-44228 (verified with the <a href=\"https:\/\/github.com\/cisagov\/log4j-scanner\">CISA Log4j Scanner<\/a> on January 6th, 2022) and CVE-2021-45046.\n<ul>\n<li>Download <a href=\"https:\/\/ephesoft.force.com\/s\/download\">log4j-core-2.8.2.jar<\/a><\/li>\n<li>Download <a href=\"https:\/\/ephesoft.force.com\/s\/download\">log4j-core-2.11.2.jar<\/a><\/li>\n<li>Download <a href=\"https:\/\/ephesoft.force.com\/s\/download\">log4j-core-2.12.1.jar<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p><strong>Note:<\/strong> If you encounter a log4j-core-2*.jar release version not listed above, please <a href=\"https:\/\/ephesoft.force.com\/login?ec=302&amp;startURL=%2Fs%2Fcontactsupport\">contact support<\/a> and submit the file for review before starting the vulnerability mitigation process.<\/p>\n<ol start=\"3\">\n<li>Start the Transact server service and verify accessibility.<\/li>\n<\/ol>\n<h2><a id=\"post-50107-_9gn1w7f5f5x3\"><\/a>log4j-1*.jar Files<\/h2>\n<p>In older versions of Transact, you may encounter log4j-1*.jar files. These instances of log4j 1.x are not affected by this vulnerability.<\/p>\n<h2><a id=\"post-50107-_uiqpqqrqp53c\"><\/a>CVE-2021-45105<\/h2>\n<p>Transact&#8217;s implementation of Log4j is not set so that the Thread Context Map (MDC) can be exploited. The risk associated with this vulnerability is low unless the Thread Context Map has been compromised from how Log4j was set up from default. Apache Log4j 2.17 is not compatible with Transact releases.<\/p>\n<p><strong>Reminder:<\/strong> We recommend clients keep up to date with Transact and our <a href=\"https:\/\/ephesoft.com\/docs\/products\/transact\/announcements\/product-announcements\/product-support-version-policy\/\">Product Support Version Policy<\/a> to ensure you receive the latest updates. The Log4j security vulnerability will be resolved in our Transact Spring 2022 release.<\/p>\n<h2><a id=\"post-50107-_4xh4kgwo5axb\"><\/a>Security Scanning Software<\/h2>\n<p>Security scanning software programs may not do a deep analysis on whether the Log4j vulnerability still exists within the patched files Ephesoft has released. As a result, security scanning software may still alert of the Log4j vulnerability after these patched files are applied. Clients may test the patches for CVE-2021-44228 by using the Log4j Scanner provided by the Cybersecurity and Infrastructure Security Agency (CISA) to confirm that the vulnerability has been resolved.<\/p>\n","protected":false},"featured_media":0,"parent":35900,"menu_order":1,"comment_status":"closed","ping_status":"closed","template":"","doc_tag":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v19.0 (Yoast SEO v22.1) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Log4j Vulnerability | Ephesoft Docs<\/title>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Log4j Vulnerability\" \/>\n<meta property=\"og:description\" content=\"*This Knowledge Base article will be updated as more information becomes available. [Update 5\/3\/2022] In Transact 2022.1.00, log4j has been [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"Ephesoft Docs\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-02T17:06:52+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/\",\"url\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/\",\"name\":\"Log4j Vulnerability | Ephesoft Docs\",\"isPartOf\":{\"@id\":\"https:\/\/ephesoft.com\/docs\/#website\"},\"datePublished\":\"2021-12-11T00:46:45+00:00\",\"dateModified\":\"2024-02-02T17:06:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/ephesoft.com\/docs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Transact\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Release Notes and Software Updates\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Log4j Vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/ephesoft.com\/docs\/#website\",\"url\":\"https:\/\/ephesoft.com\/docs\/\",\"name\":\"Ephesoft Docs\",\"description\":\"Intelligent Document Processing Made Easy\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/ephesoft.com\/docs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Log4j Vulnerability | Ephesoft Docs","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Log4j Vulnerability","og_description":"*This Knowledge Base article will be updated as more information becomes available. [Update 5\/3\/2022] In Transact 2022.1.00, log4j has been [&hellip;]","og_url":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/","og_site_name":"Ephesoft Docs","article_modified_time":"2024-02-02T17:06:52+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/","url":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/","name":"Log4j Vulnerability | Ephesoft Docs","isPartOf":{"@id":"https:\/\/ephesoft.com\/docs\/#website"},"datePublished":"2021-12-11T00:46:45+00:00","dateModified":"2024-02-02T17:06:52+00:00","breadcrumb":{"@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/log4j-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ephesoft.com\/docs\/"},{"@type":"ListItem","position":2,"name":"Transact","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/"},{"@type":"ListItem","position":3,"name":"Release Notes and Software Updates","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/"},{"@type":"ListItem","position":4,"name":"Log4j Vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/ephesoft.com\/docs\/#website","url":"https:\/\/ephesoft.com\/docs\/","name":"Ephesoft Docs","description":"Intelligent Document Processing Made Easy","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ephesoft.com\/docs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"comment_count":0,"_links":{"self":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/50107"}],"collection":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/comments?post=50107"}],"version-history":[{"count":35,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/50107\/revisions"}],"predecessor-version":[{"id":51180,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/50107\/revisions\/51180"}],"up":[{"embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/35900"}],"next":[{"title":"Transact Generic Hotfixes","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/transact-gerneric-hotfixes\/","href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/51380"}],"prev":[{"title":"Product Support Version Policy","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/release-notes\/product-support-version-policy\/","href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/47191"}],"wp:attachment":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/media?parent=50107"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/doc_tag?post=50107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}