Update 14.12.2021

Log4j Vulnerability (CVE-2021-44228)

It concerns a critically rated vulnerability in the logging library Log4j up to and including version 2.14. Additional information can be found at the BSI.

The following is a description of the vulnerability tests performed.

Further notes on vulnerability tests performed by SoftProject

Possible messages during vulnerability tests

Security scanners may incorrectly detect the de.softproject.integration.util.JNDILookup.class in the X4 client.jar file as a vulnerability. The class is not related to Log4j, so if you receive this message, you can ignore it.

The Local-Log4j-Vuln scanner incorrectly finds the class JNDIManager from the package narayana-jts-idlj and issues a corresponding message. The class is not related to Log4j, so if you receive this message, you can ignore it.

Information on WildFly

WildFly is not affected. Official communication is available on the WildFly website.

WildFly/JBoss uses the Log4j API, but brings its own implementation based on Log4j 1.x (Log4j-JBoss-logmanager-1.x.Final.jar). Thus, the affected Log4j2 core implementation is not used.

Tests performed by SoftProject

We have checked if the X4 BPMS is affected by the critically classified vulnerability. The result of our audit showed that X4 BPMS is not affected by the vulnerability.

TestResult
Search for the org.apache.logging.Log4j.core.net.JndiManager.class class for Log4j version 2.x in our installations.No matches for this class in the entire WildFly.
Check if there is a Log4j version 1 (based on advice from BSI). Search for the org.apache.Log4j.Appender class for Log4j version 1.x in our installations.There is no standard Log4j 1 available. Only the JBoss implementation was found. This is not affected.
Check if there is a Log4j version 2. Search for the org.apache.logging.Log4j.core.Appender class for Log4j version 2.x in our installations.No matches for this class in the entire WildFly.
Execution of the local-Log4j-vuln-scanner.
The local-Log4j-vuln-scanner incorrectly finds the class "JNDIManager" from the package "narayana-jts-idlj" and issues a corresponding message. The class is not related to Log4j, so if you receive this message, you can ignore it.
No matches for this class in the entire WildFly.

Original message from 13.12.2021

A vulnerability was discovered in Apache log4j 2 (RCE) on December 9, 2021. Proof-of-concept (PoC) code was published and subsequent investigation showed that exploitation was easy. By sending a specially crafted request to a vulnerable system, depending on the configuration of the system, an attacker can instruct that system to download and subsequently execute a malicious payload.

The German Federal Office for Information Security assesses the threat situation as extremely critical.

The vulnerability affects log4j versions 2.0 to 2.14.1. Our checks have shown that X4 Suite versions 5.5, 5.8, 6.x and X4 BPMS versions 7.x as well as solutions based on them (e.g. X4 BiPRO Server) are not affected by the vulnerability. The Wildfly Application Server supplied by SoftProject is also not affected, since it uses a log4j implementation that does not contain the vulnerability. We will gladly provide information on older versions of the X4 Suite upon request. The Keycloak versions used from version 7.x are also not affected.

Nevertheless, we recommend setting the option “log4j2.formatMsgNoLookups” to “true” by starting the Java Virtual Machine with the argument “-Dlog4j2.formatMsgNoLookups=True“. This prevents the vulnerability from being exploited with more recent log4j versions that may have been added on site.

As of version 6.x, we also provide an X4 adapter on request, which you as a customer can use to test your installation of X4 Suite or X4 BPMS yourself.

In addition, for on-premises solutions, we recommend that all surrounding systems, such as on-site web servers or proxy servers, be examined for the above vulnerability.

There is no acute threat to customers using our Software as a Service (SaaS). The services continue to be available without restriction. Further security measures will be implemented in a short-term maintenance window. We will notify you separately about this.

If you need support for on-premises systems, please contact our support at ed.tcejorptfos@troppus or at +49 7243 56175-333.

Further information on this can also be found at the German Federal Office for Information Security.

Do you have any questions?


    Your Contact

    SoftProject Support Team