Log4j vulnerability patch
On December 10th, 2021, a global and widespread critical vulnerability was discovered in Apache Log4j, an open-source Java package used to enable logging in many popular applications. This vulnerability can be exploited to enable remote code execution on servers. It affects several applications including Ephesoft Transact.
For more information about this vulnerability, please visit the Apache website.
1. Stop the Transact server service.
2. Locate any log4j-core*.jar files in the following directories and rename the JAR extension to BAK. Notate the version of the file as the same patched version of that file will need to be used in its place.
3. For the following files that were backed up, download the following patched releases and copy the following file to its path:
- Download log4j-core-2.8.2-p.jar then rename it to log4j-core-2.8.2.jar (remove the -p) to replace the original file.
- Download log4j-core-2.11.2-p.jar then rename it to log4j-core-2.11.2.jar (remove the -p) to replace the original file.
- Download log4j-core-2.12.1-p.jar then rename it to log4j-core-2.12.2.jar (remove the -p) to replace the original file
Note: If you encounter a log4j-core-*.jar release version not listed above, please contact support and submit the file for review before starting the vulnerability mitigation process.
4. Start Transact server service and verify accessibility.
For continuous updates from Ephesoft, please refer to their Knowledgebase.
For specific product vulnerability please sign up to the following KB:
KB from Infor on how to resolve on-premise Ephesoft log4j vulnerability:
System i Workspace AnyWhere
Infor KB Article 1963350 (System i Workspace AnyWhere) which you signed up to be notified about has been updated. This KB is available on Infor Support Portal with a status of Complete.
System i Workspace AnyWhere Feature Pack 13 + High Impact Patch 1 released for Microsoft Windows 2016/2019 Server/Tomcat 9 and IBM i/WebSphere Application Server 9.x deployments. A high level severity vulnerability (CVE-2021-4428, CVSSv3 10.0) impacting multiple versions of the Apache Log4j2 utility was disclosed on December 9, 2021. This vulnerability affects Apache Log4j2 versions 2.0 through 2.14.1. The vulnerability allows for unauthenticated remote code execution. Log4j2 is an open source Java logging library developed by the Apache Foundation and is widely used in many software applications such as System i Workspace AnyWhere. This cumulative System i Workspace AnyWhere Fix Pack resolves this issue by delivering the mitigated fixes from Apache. Infor strongly recommends that you apply this Fix Pack as soon as possible. Customers that use an IBM i/WebSphere Application Server 9.x deployment should also review this bulletin from IBM to update their software to the latest release for a summary of the status of all Infor Products affected by this issue.
Kofax Total Agility
Apparently not an issue, but still waiting for confirmation.
If you have any questions or concerns, please do not hesitate to contact us directly.