You are viewing limited content. For full access, please sign in.

Question

Question

Do any Laserfiche products use the Apache log4j library?

asked on December 10, 2021

With some recent news over a vulnerability found in the Apache log4j library I just wanted to confirm whether or not it was used in any Laserfiche products?  I was not able to find anything, but just wanted to confirm.  Thanks!

7 0

Answer

APPROVED ANSWER SELECTED ANSWER
replied on December 10, 2021 Show version history

Update 15 Dec 2021: There is now a Laserfiche Support site article on this topic, linked below. It is Laserfiche's official statement on the vulnerability and any future updates with be made to that article rather than here. Please reference it for the most up-to-date information.

Apache Log4j 2 Vulnerability (CVE-2021-44228)

Here are the contents of the article as of today:

----------------------------------------------------------------------------------------------------------

Summary

Laserfiche is aware of the publicly disclosed Apache Log4j 2 remote code execution vulnerability described in CVE-2021-44228.

Our downloadable software products, including Laserfiche Rio and Laserfiche Avante, do not ship with or use Log4j 2.

Laserfiche Cloud, which is our multitenant SaaS platform, has some backend systems that use some versions of Log4j 2. Patches have already been applied to Laserfiche Cloud to mitigate the vulnerability.

This article summarizes any potential impacts to Laserfiche products.

Laserfiche Self-hosted and Locally Installed Products and Modules

Laserfiche's downloadable software products, including Laserfiche Rio and Laserfiche Avante, do not ship with or use Log4j 2.

Laserfiche Cloud

Laserfiche Cloud contains some backend systems that use Log4j 2. Security testing has not identified any exploitable vulnerabilities related to this issue in Laserfiche Cloud. As a standard preventative measure, the associated backend systems have been patched to mitigate the vulnerability.

Laserfiche Cloud relies on select AWS services that may also be impacted by the vulnerability. Amazon has stated that they are working on addressing the issue for any AWS services which use Log4j 2. Please see the following statement from Amazon on the vulnerability:

Other Mitigations

We also recommend that customers check whether any integrations or other non-Laserfiche software may be impacted and to check for potential patches.

Related Links

----------------------------------------------------------------------------------------------------------

Original Post:

Laserfiche products do not ship with/use the Apache log4j library and are thus not vulnerable to CVE-2021-44228.

10 0
replied on December 11, 2021

Sam, I received a notification from the Authorize.Net developer network that would indicate that Authorize.Net itself might be vulnerable?  

https://support.authorize.net/s/article/Apache-Log4J-Zero-Day-Vulnerability?utm_campaign=22Q1%20ANET%20Java%20log4j%20Vulnerability%20Email%20-%20Developers&utm_medium=email&utm_source=Eloqua

If so could that impact the Forms payment gateway functionality?

 

0 0
replied on December 12, 2021

It depends on what updates the Authorize.Net side will make. 

2 0
replied on December 13, 2021

It is highly unlikely Authorize.Net's updates would affect Forms payment gateway functionality. 

The way the Log4j2 vulnerability exploit works is by an attacker causing a specially crafted JNDI:LDAP URL pointing at a malicious server to get logged by a vulnerable application. Log4j would then get the execute an LDAP query against the attacker's server, which would return a malicious payload, and Log4j would then execute the payload. This abuses functionality in the Log4j JNDI extension class, which is intended to do useful things with lookups against your own LDAP servers.

undefined

Apache has a patched version and mitigations available:

  1. Update Log4j2 to 2.15.0, which disables the lookup functionality by default.
  2. In earlier versions, either set a configuration parameter that disables those lookups, or remove the JNDI extension class entirely.

 

Since the Laserfiche Forms payment gateway integration doesn't depend on logging LDAP endpoint URLs in any way, I can't think of any plausible direct way that Authorize.Net patching or applying mitigations for Log4j on their systems would affect our functionality. If Authorize.Net has systems exploited by the vulnerability that's an entirely different scenario that I can't speculate on.

2 0

Replies

replied on December 15, 2021

A couple of items:

1) Your link to the support article is broken

2) Posts say Laserfiche does not ship with log4j, then what is this file doing? 

c:\Program Files (x86)\Laserfiche\Webtools Agent\log4net.dll

File properties says it is Apache log4net for .NET Framework 4.5. The version is 2.0.8.0. 

Our vulnerability scanner says it is a vulnerability.

 

0 0
replied on December 15, 2021

I did some more digging and perhaps the Log4Net version is not vulnerable?
https://blogs.apache.org/security/entry/cve-2021-44228

 

0 0
replied on December 15, 2021

Hi James,

First, thanks for catching the broken link. I've now fixed it.

Second, that's correct, Log4j ports in other languages like Log4net are not affected by CVE-2021-44228 because the exploit is Java-specific. It relies on a Java feature called Java Naming and Directory Interface (JNDI) that is not present in .NET.

Here are some resources in addition to the Apache security post you found:

0 0
replied on December 15, 2021

Hi Samuel,

I did some more research and it appears that our vulnerability scanner is flagging the Laserfiche log4net.dll file because of an older vulnerability from 2018 that isn't patched. See CVE-2018-1285:

https://nvd.nist.gov/vuln/detail/CVE-2018-1285

 

Any info on when this will be patched?

 

Thanks,


James

 

 

replied on December 15, 2021 Show version history

@████████ We're looking into this other potential vulnerability that's unrelated to CVE-2021-44228 now. I'm redacting your post in the meantime.

Update: CVE-2018-1285 for log4net specifies "This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files." After a preliminary investigation we do not believe Laserfiche applications that currently ship with Log4Net < 2.0.10 to be vulnerable to this exploit because they do not accept attacker-controller log4net configuration files. An attacker would already have to have access to the machine in question in order to insert their own malicious configuration file. We expect to update the library in question in an upcoming normal update.

1 0
replied on December 15, 2021

@████████Please see update above.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.