Apache log4j v1 CVE-2019-17571 / CVE-2021-4104 / CVE-2022-23305


    Description

    Notes on using log4j v1 in Doxis4

    Log4j v1 is still used in some SER products. These SER products are not affected by the vulnerabilities in log4j v2. In addition, SER products are not affected by the log4j v1 vulnerabilities CVE-2019-17571, CVE-2021-4104 and CVE-2022-23305 because these vulnerabilities affect the SocketServer class and a JMSAppender configuration, neither of which is used by SER. The same holds for CVE-2022-23307, which is originally based on CVE-2020-9493 as a vulnerability of Apache Chainsaw. Chainsaw is also not used by default in SER products.


    Since log4j v1 is not further developed and maintained, upgrades from log4j v1 to log4j v2 were initiated in all SER products some time ago. Typically, such upgrades cannot be made at the patch level. Some products have already been fully upgraded (Doxis4 safeLock, Doxis4 ERP Connection Service), while others have only been partially upgraded (Doxis4 CSB for FIPS and Fulltext Service).


    The table below provides an overview of the products which still contain log4j v1 and of the versions in which the upgrades to log4j v2 will take place (updated on 01-22-2022: switch to log4j v2 in webCube is provided earlier):


    Product

    Update to Log4j v2 with

    Notes

    Doxis4 CSB

    V04.02 (Jan. 2022)
    available
    Doxis4 Fulltext Service has already been upgraded to log4j v2 with V03.04 and FIPS with V04.00. All other components and services follow suit with V04.02.
    Note that for pre-/postprocessing, FIPS uses the Java API, which includs log4j v1 in versions before V08.02.

    Doxis4 Java API

    V08.02 (Jan 2022)
    available

    		 As of this version, the Java API no longer includes log4j. The client context must set the logging framework in the future.

    Doxis4 webCube
    (as well as addons like DIIA or DIMCP)

    V09.01p1 (Feb 2022)


    Doxis4 OrgaTransmitter

    V04.03p3 (Jan 2022)
    available


    Doxis4 CMIS Connector

    V01.02 (May 2022)


    Doxis4 webDAV Connector

    Last released in 2016. This version contains a legacy JVM. Official retirement is currently under review. If you use the software in production systems, please contact the SERviceDesk.

    Doxis4 webDAV Connector for ILM

    V02.02 (planning stage)


    Doxis4 DICOM Connector

    V02.01 (planning stage)



    Workaround

    Using Logpresso to fix CVE-2019-17571 and CVE-2021-4104

    As mentioned above, SER products neither use SocketServer nor JMSAppender by default. Therefore, these components can be removed using Logpresso, unless the logging has been customized to use these components. Compared to log4j v2, this allows for the establishment of a more consistent workaround. For this purpose, Logpresso must be called with the --scan-log4j1 option. 



    [APA, 09.02.22  15:49]


    Related links

    For further details, see https://github.com/logpresso/CVE-2021-44228-Scanner

    Downloads

    --
    Published