{"id":8712,"date":"2021-12-13T08:30:40","date_gmt":"2021-12-13T07:30:40","guid":{"rendered":"https:\/\/www.softproject.de\/en\/?p=8712"},"modified":"2022-03-09T15:53:40","modified_gmt":"2022-03-09T14:53:40","slug":"vulnerability-log4j-x4bpms-not-affected","status":"publish","type":"post","link":"https:\/\/www.softproject.de\/en\/2021\/12\/13\/vulnerability-log4j-x4bpms-not-affected\/","title":{"rendered":"Important Information: German Federal Office for Information Security reports critical vulnerability CVE-2021-44228 in Java library Log4j \u2013 X4 BPMS not affected"},"content":{"rendered":"

[vc_row row_height_percent=”0″ override_padding=”yes” h_padding=”2″ top_padding=”3″ bottom_padding=”3″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″][vc_column width=”1\/1″][vc_column_text]Update 14.12.2021[\/vc_column_text][vc_custom_heading]Log4j Vulnerability (CVE-2021-44228)[\/vc_custom_heading][vc_column_text]It concerns a critically rated vulnerability in the logging library Log4j up to and including version 2.14. Additional information can be found at the BSI<\/a>.<\/p>\n

The following is a description of the vulnerability tests performed.[\/vc_column_text][vc_custom_heading]Further notes on vulnerability tests performed by SoftProject[\/vc_custom_heading][vc_custom_heading heading_semantic=”h3″ text_size=”h3″]Possible messages during vulnerability tests[\/vc_custom_heading][vc_column_text]Security scanners may incorrectly detect the de.softproject.integration.util.JNDILookup.class<\/code> in the X4 client.jar file as a vulnerability. The class is not related to Log4j, so if you receive this message, you can ignore it.<\/p>\n

The Local-Log4j-Vuln scanner incorrectly finds the class JNDIManager<\/code> from the package narayana-jts-idlj<\/code> and issues a corresponding message. The class is not related to Log4j, so if you receive this message, you can ignore it.[\/vc_column_text][vc_custom_heading heading_semantic=”h3″ text_size=”h3″]Information on WildFly[\/vc_custom_heading][vc_column_text]WildFly is not affected. Official communication is available on the WildFly website<\/a>.<\/p>\n

WildFly\/JBoss uses the Log4j API, but brings its own implementation based on Log4j 1.x (Log4j-JBoss-logmanager-1.x.Final.jar). Thus, the affected Log4j2 core implementation is not<\/strong> used.[\/vc_column_text][vc_custom_heading heading_semantic=”h3″ text_size=”h3″]Tests performed by SoftProject[\/vc_custom_heading][vc_column_text]We have checked if the X4 BPMS is affected by the critically classified vulnerability. The result of our audit showed that X4 BPMS is not affected by the vulnerability.[\/vc_column_text][vc_raw_html]JTNDdGFibGUlM0UlMEElM0N0ciUzRSUwQSUzQ3RoJTNFVGVzdCUzQyUyRnRoJTNFJTBBJTNDdGglM0VSZXN1bHQlM0MlMkZ0aCUzRSUwQSUzQyUyRnRyJTNFJTBBJTNDdHIlM0UlMEElM0N0ZCUzRVNlYXJjaCUyMGZvciUyMHRoZSUyMCUzQ2NvZGUlM0VvcmcuYXBhY2hlLmxvZ2dpbmcuTG9nNGouY29yZS5uZXQuSm5kaU1hbmFnZXIuY2xhc3MlM0MlMkZjb2RlJTNFJTIwY2xhc3MlMjBmb3IlMjBMb2c0aiUyMHZlcnNpb24lMjAyLnglMjBpbiUyMG91ciUyMGluc3RhbGxhdGlvbnMuJTBBJTNDJTJGdGQlM0UlMEElM0N0ZCUzRU5vJTIwbWF0Y2hlcyUyMGZvciUyMHRoaXMlMjBjbGFzcyUyMGluJTIwdGhlJTIwZW50aXJlJTIwV2lsZEZseS4lMEElM0MlMkZ0ZCUzRSUwQSUzQyUyRnRyJTNFJTBBJTNDdHIlM0UlMEElM0N0ZCUzRUNoZWNrJTIwaWYlMjB0aGVyZSUyMGlzJTIwYSUyMExvZzRqJTIwdmVyc2lvbiUyMDElMjAlMjhiYXNlZCUyMG9uJTIwYWR2aWNlJTIwZnJvbSUyMEJTSSUyOS4lMjAlMjBTZWFyY2glMjBmb3IlMjB0aGUlMjAlM0Njb2RlJTNFb3JnLmFwYWNoZS5Mb2c0ai5BcHBlbmRlciUzQyUyRmNvZGUlM0UlMjBjbGFzcyUyMGZvciUyMExvZzRqJTIwdmVyc2lvbiUyMDEueCUyMGluJTIwb3VyJTIwaW5zdGFsbGF0aW9ucy4lMEElM0MlMkZ0ZCUzRSUwQSUzQ3RkJTNFVGhlcmUlMjBpcyUyMG5vJTIwc3RhbmRhcmQlMjBMb2c0aiUyMDElMjBhdmFpbGFibGUuJTIwT25seSUyMHRoZSUyMEpCb3NzJTIwaW1wbGVtZW50YXRpb24lMjB3YXMlMjBmb3VuZC4lMjBUaGlzJTIwaXMlMjBub3QlMjBhZmZlY3RlZC4lMEElM0MlMkZ0ZCUzRSUwQSUzQyUyRnRyJTNFJTBBJTNDdHIlM0UlMEElM0N0ZCUzRUNoZWNrJTIwaWYlMjB0aGVyZSUyMGlzJTIwYSUyMExvZzRqJTIwdmVyc2lvbiUyMDIuJTIwU2VhcmNoJTIwZm9yJTIwdGhlJTIwJTNDY29kZSUzRW9yZy5hcGFjaGUubG9nZ2luZy5Mb2c0ai5jb3JlLkFwcGVuZGVyJTNDJTJGY29kZSUzRSUyMGNsYXNzJTIwZm9yJTIwTG9nNGolMjB2ZXJzaW9uJTIwMi54JTIwaW4lMjBvdXIlMjBpbnN0YWxsYXRpb25zLiUwQSUzQyUyRnRkJTNFJTBBJTNDdGQlM0VObyUyMG1hdGNoZXMlMjBmb3IlMjB0aGlzJTIwY2xhc3MlMjBpbiUyMHRoZSUyMGVudGlyZSUyMFdpbGRGbHkuJTBBJTNDJTJGdGQlM0UlMEElM0MlMkZ0ciUzRSUwQSUzQ3RyJTNFJTBBJTNDdGQlM0VFeGVjdXRpb24lMjBvZiUyMHRoZSUyMCUzQ2ElMjBocmVmJTNEJTIyaHR0cHMlM0ElMkYlMkZnaXRodWIuY29tJTJGaGlsbHUlMkZsb2NhbC1Mb2c0ai12dWxuLXNjYW5uZXIlMjIlM0Vsb2NhbC1Mb2c0ai12dWxuLXNjYW5uZXIlM0MlMkZhJTNFLiUzQyUyRmJyJTNFVGhlJTIwbG9jYWwtTG9nNGotdnVsbi1zY2FubmVyJTIwaW5jb3JyZWN0bHklMjBmaW5kcyUyMHRoZSUyMGNsYXNzJTIwJTIySk5ESU1hbmFnZXIlMjIlMjBmcm9tJTIwdGhlJTIwcGFja2FnZSUyMCUyMm5hcmF5YW5hLWp0cy1pZGxqJTIyJTIwYW5kJTIwaXNzdWVzJTIwYSUyMGNvcnJlc3BvbmRpbmclMjBtZXNzYWdlLiUyMFRoZSUyMGNsYXNzJTIwaXMlMjBub3QlMjByZWxhdGVkJTIwdG8lMjBMb2c0aiUyQyUyMHNvJTIwaWYlMjB5b3UlMjByZWNlaXZlJTIwdGhpcyUyMG1lc3NhZ2UlMkMlMjB5b3UlMjBjYW4lMjBpZ25vcmUlMjBpdC4lMEElM0MlMkZ0ZCUzRSUwQSUzQ3RkJTNFTm8lMjBtYXRjaGVzJTIwZm9yJTIwdGhpcyUyMGNsYXNzJTIwaW4lMjB0aGUlMjBlbnRpcmUlMjBXaWxkRmx5LiUwQSUzQyUyRnRkJTNFJTBBJTNDJTJGdHIlM0UlMEElM0MlMkZ0YWJsZSUzRQ==[\/vc_raw_html][\/vc_column][\/vc_row][vc_row row_height_percent=”0″ override_padding=”yes” h_padding=”2″ top_padding=”3″ bottom_padding=”3″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″][vc_column width=”1\/1″][vc_separator][vc_column_text]Original message from 13.12.2021[\/vc_column_text][vc_column_text]A vulnerability was discovered in Apache log4j 2 (RCE) on December 9, 2021. Proof-of-concept (PoC) code was published and subsequent investigation showed that exploitation was easy. By sending a specially crafted request to a vulnerable system, depending on the configuration of the system, an attacker can instruct that system to download and subsequently execute a malicious payload.<\/p>\n

The German Federal Office for Information Security\u00a0assesses the threat situation as extremely critical.<\/p>\n

The vulnerability affects log4j versions 2.0 to 2.14.1. Our checks have shown that X4 Suite versions 5.5, 5.8, 6.x and X4 BPMS versions 7.x as well as solutions based on them (e.g. X4 BiPRO Server) are not affected by the vulnerability.<\/strong> The Wildfly Application Server supplied by SoftProject is also not affected<\/strong>, since it uses a log4j implementation that does not contain the vulnerability. We will gladly provide information on older versions of the X4 Suite upon request. The Keycloak versions used from version 7.x are also not affected.<\/strong><\/p>\n

Nevertheless, we recommend setting the option “log4j2.formatMsgNoLookups<\/code>” to “true<\/code>” by starting the Java Virtual Machine with the argument “-Dlog4j2.formatMsgNoLookups=True<\/code>“. This prevents the vulnerability from being exploited with more recent log4j versions that may have been added on site.<\/p>\n

As of version 6.x, we also provide an X4 adapter on request, which you as a customer can use to test your installation of X4 Suite or X4 BPMS yourself.<\/p>\n

In addition, for on-premises solutions, we recommend that all surrounding systems, such as on-site web servers or proxy servers, be examined for the above vulnerability.<\/p>\n

There is no acute threat to customers using our Software as a Service (SaaS). The services continue to be available without restriction.<\/strong> Further security measures will be implemented in a short-term maintenance window. We will notify you separately about this.<\/p>\n

If you need support for on-premises systems, please contact our support at support@softproject.de<\/a> or at +49 7243 56175-333<\/a>.<\/p>\n

Further information on this can also be found at the German Federal Office for Information Security<\/a>.[\/vc_column_text][\/vc_column][\/vc_row][vc_row row_height_percent=”0″ back_color=”color-gyho” overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″][vc_column width=”2\/3″][vc_custom_heading]Do you have any questions?[\/vc_custom_heading][vc_empty_space empty_h=”1″]\n

\n

<\/p>

    <\/ul><\/div>\n
    \n
    \n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/div>\n

    <\/span>\n\t<\/p>\n\t

    <\/span>\n\t<\/p>\n<\/div>\n

    <\/span>\n<\/p>\n

    \n\t

    <\/span>\n\t<\/p>\n\t

    <\/span>\n\t<\/p>\n<\/div>\n