Affected Components: Fabasoft Cloud, Fabasoft Folio
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, Basic Score: 10.0 (Critical)
First published: 13.12.2021
Informations for another Log4j issues CVE-2021-45046 and CVE-2021-45105 see at the end of this article.
A flaw was found in the Java logging library Apache Log4j in versions from 2.0.0 (including beta versions) up to and including 2.14.1. This allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
In order to exploit this flaw you need:
- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data.
- A log statement in the endpoint that logs the attacker controlled data.
A lot of software products and libraries use the Log4j library and therefore may be affected.
The following Fabasoft products may be affected by the vulnerability:
- Fabasoft Business Process Cloud
- Fabasoft Folio/eGov-Suite 2021 April Release (21.4.x)
- Fabasoft Folio/eGov-Suite 2021 July Release (21.7.x)
- Fabasoft Folio/eGov-Suite 2021 November Release (21.11.x)
- Fabasoft Folio/eGov-Suite 2021 Release, Update Rollup 1 and Update Rollup 2
- Fabasoft Folio/eGov-Suite 2022
- All versions below Fabasoft Folio/eGov-Suite 2021
- Fabasoft Mindbreeze Enterprise (all versions)
- Fabasoft app.telemetry (all versions)
Fabasoft Folio Client and Fabasoft Cloud Client are not affected in any version of Fabasoft Folio / Fabasoft eGov-Suite.
Double-Check for usage
You can check for the used library by doing a file search on your Fabasoft Folio and Mindbreeze servers:
Search for log4j* in:
Windows Folio: C:\Program Files\Fabasoft\
Windows Folio: C:\ProgramData\Fabasoft\INSTALLDIR
Windows Mindbreeze Enterprise: Search the full server for log4j*
Linux Folio: /var/opt/fabasoft/cache/INSTALLDIR
Linux Mindbreeze Enterprise: Search the full server for log4j*
Developing own solutions
If your company is developing own solutions or apps for your Fabasoft Folio installation with Java, check your repository for any Log4j dependencies. Also check all other used Java libraries that they haven't packaged the impacted Log4j library.
Solution in the Fabasoft Business Process Cloud
A hotfix was applied in the Fabasoft Business Process Cloud at 13. December 2021.
Mitigation measures were applied before. So far, there is no indication that the vulnerability has been exploited.
Although not affected, a version using log4j version 2.16.0 was applied in the Fabasoft Business Process Cloud at 19. December 2021.
Although not affected, a version using log4j version 2.17.0 was applied in the Fabasoft Business Process Cloud at 21. December 2021.
Hotfix information for Fabasoft Folio and Fabasoft eGov-Suite
Currently, a hotfix is available for:
Fabasoft Folio 2021 November Release (build 22.214.171.124)
Fabasoft eGov-Suite 2021 November Release (build 126.96.36.199.007)
Please contact Fabasoft Enterprise Support to request a hotfix package for this version. The hotfixed products use at least log4j version 2.17.0.
Mitigation for Fabasoft Folio
It is strongly recommended to install the provided hotfix for Fabasoft Folio 2021 November Release or Fabasoft eGov-Suite 2021 November Release.
With a Java option for Log4j, the LDAP lookup, that causes the vulnerability, may be disabled.
For affected Fabasoft Folio 2021 versions, please use this workaround to disable the vulnerability on all servers:
- Locate the file C:\ProgramData\Fabasoft
- Open the file coomk.upd
- If no entry HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS= is present, add
- If the entry HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS= already exists with other parameters, add
(using a blank so seperate the entries)
Restart all Kernel instances on that machine.
Fabasoft Folio environment variables can be configured in two ways, see https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Envir... details.
Option 1 - Per server configuration
- Navigate to /etc/fabasoft/settings/users/fscsrv/Software/Fabasoft/Environment
- If not existing, create a directory COOJAVA_JVMOPTIONS or change to this directory.
- Create or edit a file named registry.default
- Add the following into the file
- Make sure that no line-break is on the end of the file.
- Restart all Kernel instances on that machine.
Option 2 - Per service configuration
Also if using option 1, double-check that the server-wide setting is not overwritten by the per-service configuration.
- Repeat these steps for each <instance>:
- Navigate /var/opt/fabasoft/instances/<instance>/env
- Check or create for a file named COOJAVA_JVMOPTIONS
Add the following into the file
Make sure that no line-break is on the end of the file.
Restart all Kernel instances on that machine.
Log4j 2.15.0. Vulnerability CVE-2021-45046 and Log4j 2.16.0 Vulnerability CVE-2021-45105
Additional vulnerabilities have been reported by the Log4j project (CVE-2021-45046 and CVE-2021-45105) when the logging configuration uses a non-default pattern layout.
Fabasoft Folio does not use the specific pattern layout in its code, therefore no Fabasoft Folio version and the Fabasoft Business Process Cloud are or were affected.
Nevertheless Fabasoft will update the Log4j library to version 2.17.0 to close CVE-2021-45105 in the hotfixed versions for CVE-2021-44228, and for all future releases.
Fabasoft Mindbreeze Enterprise does not use any of the vulnerable features, therefore no Fabasoft Mindbreeze Enterprise version is affected.
Log4j 1.2 Vulnerability CVE-2021-4104
During investigations another vulnerability for Log4j Version 1.2 was identified, that is listed under CVE-2021-4104 with CVSS v3 Base Score 8.1 (High).
No Fabasoft Folio version is affected by CVE-2021-4104.