Log4j vulnerability patch

On December 10th, 2021, a global and widespread critical vulnerability was discovered in Apache Log4j, an open-source Java package used to enable logging in many popular applications. This vulnerability can be exploited to enable remote code execution on servers. It affects several applications including Ephesoft Transact.

For more information about this vulnerability, please visit the Apache website.

Ephesoft
1. Stop the Transact server service.

2. Locate any log4j-core*.jar files in the following directories and rename the JAR extension to BAK. Notate the version of the file as the same patched version of that file will need to be used in its place.

  • [Ephesoft_Directory]\Application\WEB-INF\lib
  • [Ephesoft_Directory]\Dependencies\license-util\libs\stdlibs
  • [Ephesoft_Directory]\EphesoftReports\WEB-INF\lib
  • [Ephesoft_Directory]\JavaAppServer\bin

3. For the following files that were backed up, download the following patched releases and copy the following file to its path:

    • Download log4j-core-2.8.2-p.jar then rename it to log4j-core-2.8.2.jar (remove the -p) to replace the original file.
    • Download log4j-core-2.11.2-p.jar then rename it to log4j-core-2.11.2.jar (remove the -p) to replace the original file.
    • Download log4j-core-2.12.1-p.jar then rename it to log4j-core-2.12.2.jar (remove the -p) to replace the original file

Note: If you encounter a log4j-core-*.jar release version not listed above, please contact support and submit the file for review before starting the vulnerability mitigation process.

4. Start Transact server service and verify accessibility.

For continuous updates from Ephesoft, please refer to their Knowledgebase.

Infor
For specific product vulnerability please sign up to the following KB:
https://icp.cloud.infor.com/infor/0ae209d9-10e1-4758-af45-fd8db5cb4269

KB from Infor on how to resolve on-premise Ephesoft log4j vulnerability:
https://support.infor.com/espublic/EN/AnswerLinkDotNet/SoHo/Solutions/SoHoViewSolutionC.aspx?SolutionID=2229044&kb_is_archived=0&kb_accessed_from=SuggestedArticles

System i Workspace AnyWhere
Infor KB Article 1963350 (System i Workspace AnyWhere) which you signed up to be notified about has been updated. This KB is available on Infor Support Portal with a status of Complete.

System i Workspace AnyWhere Feature Pack 13 + High Impact Patch 1 released for Microsoft Windows 2016/2019 Server/Tomcat 9 and IBM i/WebSphere Application Server 9.x deployments. A high level severity vulnerability (CVE-2021-4428, CVSSv3 10.0) impacting multiple versions of the Apache Log4j2 utility was disclosed on December 9, 2021. This vulnerability affects Apache Log4j2 versions 2.0 through 2.14.1. The vulnerability allows for unauthenticated remote code execution. Log4j2 is an open source Java logging library developed by the Apache Foundation and is widely used in many software applications such as System i Workspace AnyWhere. This cumulative System i Workspace AnyWhere Fix Pack resolves this issue by delivering the mitigated fixes from Apache. Infor strongly recommends that you apply this Fix Pack as soon as possible. Customers that use an IBM i/WebSphere Application Server 9.x deployment should also review this bulletin from IBM to update their software to the latest release  for a summary of the status of all Infor Products affected by this issue.

Kofax
https://knowledge.kofax.com/General_Support/General_Troubleshooting/Kofax_products_and_Apache_Log4j2_vulnerability_information

Kofax Capture
https://knowledge.kofax.com/Capture/Kofax_Capture/Reference/Log4J_Vulnerability_CVE-2021-44228_Does_Not_Affect_Kofax_Capture

Kofax Total Agility
Apparently not an issue, but still waiting for confirmation.

CPPD
Not affected

If you have any questions or concerns, please do not hesitate to contact us directly.