Docmosis is aware of the recently disclosed security issues (CVE-2021-44228 & CVE-2021-45046) relating to the open-source Apache Log4j (v2.0 – v2.15) utility.
After detailed examination there are no vulnerabilities for any Docmosis document generation products.
The Docmosis-Java product (as distinct from the Tornado and Cloud products) will make use of Log4j if it is configured, however, the configuration and version are not controlled by Docmosis.
We recommend that customers take action to update their applications by patching for known issues like this one.
Additional product specific information is provided below.
The issue
An exploit with Log4j allowed remote code execution (RCE). If a user can cause a system using Log4j to write a particular string to the logs, that system can be made to execute remote code.
The exploit relies on multiple things:
- Specific versions of Log4j (v2.0 – v2.15)
- The version of Java allowing the automatic execution of remote code
- The container is configured to allow the execution
- Being able to have a specific string logged
Our Response and Findings
We urgently examined this with regards to our existing systems and products.
Docmosis Cloud (DWS2 and DWS3)
- Unaffected. No component uses the affected versions of Log4j
- Additionally, DWS3 uses a Java version that prevents this.
Tornado
- Unaffected. All versions of Tornado use Log4j v1 which is not affected by these CVEs.
To be certain, our Dev team created a test build of Tornado using a known faulty version of Log4j and, with other mitigating factors also disabled, we were able to reproduce the issue. We then applied this test to Tornado builds that have been released and confirmed they are unaffected.
Further assessment by customers could include examination of logs to see if any suspicious activity was attempted:
- Check Tornado logs to see if any “bad” messages have been logged (eg: log entries that contain “jndi:” or “ldap:”)
- Check network logs to see if outbound connections were made unexpectedly
Docmosis-Java
- Will use Log4j if configured. Applications using Docmosis-Java are potentially affected
- Depends on the ability for users to log a specific string
- Depends on Log4j version
- Depends on Java version
- Depends on ability for system to contact remote systems (remote urls)
To assess applications that use Docmosis-Java:
- Assess version of Log4j iand Java in use
- Determine whether outbound connections are firewalled/contained by your infrastructure
- Check application logs and Docmosis remote converter logs to see if any “bad” messages have been logged (eg: log entries that contain “jndi:” or “ldap:”)
- Check network device logs to see whether outbound connections may have been made.
To remedy:
- Scan for possible intrusion results if affected
- Choose whether to:
- Immediately disable – setting runtime flags (log4j2.formatMsgNoLookups)
- Apply software version updates (eg: JDK, Log4j)
If you need additional assistance, please contact our Support Team.