Apache Log4j Security Vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

Last update: 22 December 2021

ID: FSC31322

Affected Components: Fabasoft Cloud, Fabasoft Folio

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, Basic Score: 10.0 (Critical)

Status: Final

First published: 13.12.2021

CVEs: CVE-2021-44228

Informations for another Log4j issues CVE-2021-45046 and CVE-2021-45105 see at the end of this article.

Information

A flaw was found in the Java logging library Apache Log4j in versions from 2.0.0 (including beta versions) up to and including 2.14.1. This allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.

In order to exploit this flaw you need:

  • A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data.
  • A log statement in the endpoint that logs the attacker controlled data.

A lot of software products and libraries use the Log4j library and therefore may be affected. 

Fabasoft Products

The following Fabasoft products may be affected by the vulnerability:

  • Fabasoft Business Process Cloud
  • Fabasoft Folio/eGov-Suite 2021 April Release (21.4.x)
  • Fabasoft Folio/eGov-Suite 2021 July Release (21.7.x)
  • Fabasoft Folio/eGov-Suite 2021 November Release (21.11.x)

Not affected:

  • Fabasoft Folio/eGov-Suite 2021 Release, Update Rollup 1 and Update Rollup 2
  • Fabasoft Folio/eGov-Suite 2022
  • All versions below Fabasoft Folio/eGov-Suite 2021
  • Fabasoft Mindbreeze Enterprise (all versions)
  • Fabasoft app.telemetry (all versions)

Fabasoft Folio Client and Fabasoft Cloud Client are not affected in any version of Fabasoft Folio / Fabasoft eGov-Suite.

Double-Check for usage

You can check for the used library by doing a file search on your Fabasoft Folio and Mindbreeze servers:

Search for log4j* in:

  • Windows Folio: C:\Program Files\Fabasoft\

  • Windows Folio: C:\ProgramData\Fabasoft\INSTALLDIR

  • Windows Mindbreeze Enterprise: Search the full server for log4j*

  • Linux Folio: /var/opt/fabasoft/cache/INSTALLDIR

  • Linux Mindbreeze Enterprise: Search the full server for log4j*

Developing own solutions

If your company is developing own solutions or apps for your Fabasoft Folio installation with Java, check your repository for any Log4j dependencies. Also check all other used Java libraries that they haven't packaged the impacted Log4j library.   

Solution in the Fabasoft Business Process Cloud

A hotfix was applied in the Fabasoft Business Process Cloud at 13. December 2021.

Mitigation measures were applied before. So far, there is no indication that the vulnerability has been exploited. 

Although not affected, a version using log4j version 2.16.0 was applied in the Fabasoft Business Process Cloud at 19. December 2021.

Although not affected, a version using log4j version 2.17.0 was applied in the Fabasoft Business Process Cloud at 21. December 2021.

Hotfix information for Fabasoft Folio and Fabasoft eGov-Suite

Currently, a hotfix is available for:

Fabasoft Folio 2021 November Release (build 21.11.0.150)

Fabasoft eGov-Suite 2021 November Release (build 21.11.0.150.007)

Please contact Fabasoft Enterprise Support to request a hotfix package for this version. The hotfixed products use at least log4j version 2.17.0.

Mitigation for Fabasoft Folio

It is strongly recommended to install the provided hotfix for Fabasoft Folio 2021 November Release or Fabasoft eGov-Suite 2021 November Release.

With a Java option for Log4j, the LDAP lookup, that causes the vulnerability, may be disabled.

For affected Fabasoft Folio 2021 versions, please use this workaround to disable the vulnerability on all servers:

Windows

  • Locate the file C:\ProgramData\Fabasoft
  • Open the file coomk.upd
  • If no entry HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS= is present, add
    HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS=-Dlog4j2.formatMsgNoLookups=true
  • If the entry HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS= already exists with other parameters, add
    HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS=<someotherparameter> -Dlog4j2.formatMsgNoLookups=true
    (using a blank so seperate the entries)

Restart all Kernel instances on that machine.

Linux

Fabasoft Folio environment variables can be configured in two ways, see https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Envir... details.

Option 1 - Per server configuration

  • Navigate to /etc/fabasoft/settings/users/fscsrv/Software/Fabasoft/Environment
  • If not existing, create a directory COOJAVA_JVMOPTIONS or change to this directory.
  • Create or edit a file named registry.default 
  • Add the following into the file
    -Dlog4j2.formatMsgNoLookups=true
  • Make sure that no line-break is on the end of the file.
  • Restart all Kernel instances on that machine.

Option 2 - Per service configuration

Also if using option 1, double-check that the server-wide setting is not overwritten by the per-service configuration.

  • Repeat these steps for each <instance>:
  • Navigate /var/opt/fabasoft/instances/<instance>/env
  • Check or create for a file named COOJAVA_JVMOPTIONS
  • Add the following into the file
    -Dlog4j2.formatMsgNoLookups=true

  • Make sure that no line-break is on the end of the file.

  • Restart all Kernel instances on that machine.

Log4j 2.15.0. Vulnerability CVE-2021-45046 and Log4j 2.16.0 Vulnerability CVE-2021-45105

Additional vulnerabilities have been reported by the Log4j project (CVE-2021-45046 and CVE-2021-45105) when the logging configuration uses a non-default pattern layout.

Fabasoft Folio does not use the specific pattern layout in its code, therefore no Fabasoft Folio version and the Fabasoft Business Process Cloud are or were affected.

Nevertheless Fabasoft will update the Log4j library to version 2.17.0 to close CVE-2021-45105 in the hotfixed versions for CVE-2021-44228, and for all future releases.

Fabasoft Mindbreeze Enterprise does not use any of the vulnerable features, therefore no Fabasoft Mindbreeze Enterprise version is affected.

Log4j 1.2 Vulnerability CVE-2021-4104

During investigations another vulnerability for Log4j Version 1.2 was identified, that is listed under CVE-2021-4104 with CVSS v3 Base Score 8.1 (High).

No Fabasoft Folio version is affected by CVE-2021-4104.