2021: Security Advisory: Apache Log4j / Log4Shell

Owned by Jason Apel, created
Last updated: Mar 12, 2023

Summary

A critical vulnerability has been identified in the popular Java logging library, Apache Log4j 2, or also referred to as Log4Shell. This has had a devastating impact globally on millions of systems and applications which impacts almost every company in some way.
NT-ware actioned last week our security response plans to investigate, mitigate and communicate our activities. The result of these activities have concluded with that we have no exposed system or products that are susceptible to this vulnerability.

Advisory release date

13th December 2021

Product Affected

uniFLOW sysHUB

Products Reviewed

NT-ware Web Sites, uniFLOW Server, uniFLOW Online and PRISMAsatellite

CVE

CVE-2021-44228

Severity

This CVE has been given a ‘Critical’ severity rating.

Summary of Vulnerability

Below you can find a breakdown of the activity for NT-ware as a company and our individual products:

NT-ware - company

  • All public facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.

  • Some internal services have been identified as utilising Log4j. We have taken immediate steps to patch or place mitigation controls in place.

uniFLOW

  • None of the following is affected: uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.

  • Embedded applets for devices:

    • uniFLOW MEAP embedded applet for Canon devices – Unaffected

    • uniFLOW embedded applet for VarioPrint devices – Unaffected

    • uniFLOW embedded applet for ColorWave/PlotWave devices – Unaffected

    • uniFLOW embedded applet for ScanFront devices – Unaffected

    • uniFLOW embedded applet for Xerox/HP/Samsung/Konica Minolta/Brother/Sharp/OKI/EPSON/Lexmark devices  – Unaffected

    • Devices connected with Release Stations – Unaffected

uniFLOW Online/uniFLOW Online Express

  • None of the following is affected: the platform itself, SmartClients, and supporting services.

  • Embedded applets for devices:

    • uniFLOW MEAP embedded applet for Canon devices – Unaffected

    • Devices connected with Release Stations – Unaffected

PRISMAsatellite

PRISMAsatellite does NOT use LOG4J (for Java), but DOES use log4JS (for JavaScript) as a component in the Dashboard. We can confirm that Log4JS (for JavaScript) is used in all versions of PRISMAsatellite, is NOT vulnerable to the LOG4J (for Java) exploit.

 

Affected Versions

Product

Affected versions

uniFLOW sysHUB

  • Up to and including COSMOS V2.7, log4j Version 1.2.x was used. There is a security flaw found with the JMSAppender. The JMSAppender is not used in COSMOS standard configuration.

  • Since COSMOS V2.8 and sysHUB 2021, log4j Version 2 (version 2.11.0 to Version 2.14.1) is used.

  • CVE-2021-44228 JNDI lookups : lookups via JNDI in COSMOS/sysHUB are blocked by a custom development and end in a system exception message.

  • CVE-2021-45046 DOS attack via patterns: none of the patterns $${ctx:loginId}, %X, %mdc, or %MDC is used in the standard configuration. Please review your log4j configuration in the file config/log4j2.xml to ensure you are not using any of the mentioned patterns (which is the case in all standard configurations).

  • CVE-2021-45105 Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.

  • Even with the product not exposed by this vulnerability it is recommended to disable log4j2 lookups as listed below:

    • Edit the <install-folder>\CosmosServer.conf file and for all used Agents the <agent-install-folder>\CosmosAgent.conf

    • Add the line wrapper.java.additional.24=-Dlog4j2.formatMsgNoLookups=true, change the numbering depending on your used wrapper options, in our case we have the entry .24 added

    • Restart the server and all Agents

  • Alternatively, COSMOS and sysHUB installations work with log4j 2.16.0 and with log4j 2.17.0 as well. This version can be downloaded directly from the Apache website and replace the existing version in the ext folder:

    • Stop running servers and agents to be updated

    • Server: replace all ext/log4j*.jar files with the latest version

    • Agent: replace the ext/log4j-core.jar with the latest version but keep the naming without version, file must have the fixed name log4j-core.jar

    • Start running servers and agents

    • The file ant-apache-log4j.jar in the client plugins folder is not a separate log4j library but a connector class from apache ant and must not be changed

    • Log4j properties file win the cosmos-web folder is just a config file to enable loggers and must not be changed.

  

Fixed Versions

Product

Fix versions

Versions COSMOS 2.9 and uniFLOW sysHUB 2021

  • COSMOS and sysHUB native Client: A workaround is provided to Canon Software Support, an updated version is available as a patch and a new setup is provided

  • COSMOS and sysHUB Agent: replace the file log4j2-core.jar in the ext folder with the latest version

  • Service Release: Service Releases are available for the supported Versions COSMOS 2.9 and uniFLOW sysHUB 2021 and include the log4j libraries Version 2.17.0. The Service Releases and Installers for new customer installations are available on the customer portal in the Download section.

 

What You Need to Do

Please review the provided information for mitigation or upgrade of your system.

Mitigation

NT-ware recommend to always update to the latest version but appreciate this is not possible in all situations. Please review the provided ‘in place' mitigations and decide what is best for your environment.

Support

If you have further questions, please contact your Canon / Canon Business Partner representative.