Responses and Info on Log4j Vulnerability

Not affected by log4j vulnerability:

- ApplicationXtender

- xPlore

- Captiva

- Liquid Office

Affected by log4j vulnerability:

- ImageTrust

- OTDS

- OTS

ApplicationXtender

ApplicationXtender core components are not affected since they do not use Apache web server and Java in the product suite.

-----------------------------------------------

xPlore

xPlore is not affected because WildFly web server does not use the Log4j 2.

-----------------------------------------------

From OpenText:

ApplicationXtender core components are not affected since this suite does not use Apache web server and Java. ApplicationXtender is only installed in IIS and using Windows Installers.

xPlore is not affected either because WildFly web server does not use the Log4j 2 either.

xPlore's installer bundled DFC version 20.4, doesn't use the log4j 2.x. it uses 1.x only, that is why in your find command, log4j 2.x didn't present.  
Regarding, </opt/xplore/home/wildfly23.0.2/modules/system/layers/base/org/apache/logging/log4j/api/main/log4j-api-2.14.0.jar>
Wildfly  bundles the log4j 2.x, but Wildfly bundles log4j api jar "log4j-api-2.14.0.jar" and this jar doesn't have impact. Officially in the twitter Wildfly confirmed the same.
https://twitter.com/WildFlyAS/status/1469362190536818688.

OT confirms this is for all existing AX supported versions of Xplore.

-----------------------------------------------

Liquid Office

Based on the investigation done by the LO Dev Team, LiquidOffice is NOT impacted because of this vulnerability ( CVE-2021-44228 ).

Description:

The CVE-2021-44228 affects only the versions of Log4j 2 versions 2.0 through 2.14.1. LiquidOffice uses Log4j 1.2.14 version which is not affected by this vulnerability as the Lookup class files causing the issue are not present in 1.X versions.

-----------------------------------------------

Captiva (Intelligent Capture)

Intelligent Capture is not affected by exploit CVE-2021-44228, and is not vulnerable.

-----------------------------------------------

OTS – Output Transformation Server

Output Transformation Server /Embedded Output Transformation Engine - The Log4j third-party

component used by product x to keep a record of activity within the application is affected by the Critical RCE Vulnerability: log4j - CVE-2021-44228

Applies to

Embedded Output Transformation Engine 20.4, 21.2, 21.4

Output Transformation Server 20.4, 21.2, 21.4

Summary

In Output Transformation Server / Embedded Output Transformation Engine, the Log4j third-party

component used by product x to keep a record of activity within the application is affected by the

Critical RCE Vulnerability: log4j - CVE-2021-44228

Resolution
How to fix this in your current production environment:

We are currently shipping with log4j-2.13.3.

Customers can disable message substitution by setting a system property.

Since we are using this specific version (between 2.10-2.14) there is no need to modify the log4j

pattern in the log profile.

Listed below are the various ways customers can run our product stack. Refer to the section that fits

the configuration(s) currently in use.

Apache Tomcat:

1. Shutdown Tomcat if running

2. Open setenv.bat located in <OTS_HOME>/TomcatBase/<instance>/bin

3. Find the end of the section where CATALINA_OPTS are being set

4. Add new line "set CATALINA_OPTS=%CATALINA_OPTS%

-Dlog4j2.formatMsgNoLookups=true"

5. Start Tocat

Note: Changes to the setenv.bat will apply to both Tomcat being started by the start-<instance>.bat script and the Tomcat service.

The result should look like this (see line 62):

Note: For Linux environments the same procedure would be applied to the setenv.sh. The CATALINA_OPTS is a single line and

the "-Dlog4j2.formatMsgNoLookups=true" system property can be appended to the end.

IBM WebSphere:

1. Log into the WebSphere Admin Console.

2. Click on the server to change (i.e. server1)

Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...

2 of 5 12/15/2021, 10:58 AM

3. Click on Java and Process Management > Process Definition

4. Click on Java Virtual Machine

5. Click on Custom Properties

6. Click on New... to add a new property

7. For the name enter: log4j2.formatMsgNoLookups

8. For the value enter: true

9. Save changes after verifying the property has been added

10. Then restart the server

The result should look like this:

Note: For detailed instructions of where/how to set the new system variable please refer to the WebSphere deployment guide. This is

the same area where the ots.* properties were set when OTS was first deployed.

Docker/Helm:

OTK (EMS)

Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...

3 of 5 12/15/2021, 10:58 AM

1. Open cfcr.yaml file located in <helm-chart>/platform

2. Modify the javaOpts entry under OTSServer

3. Add "-Dlog4j2.formatMsgNoLookups=true" to the end of javaOpts

4. Then perform upgrade command as detailed in build book

Other Platforms:

Use the following helm upgrade command:

1. helm upgrade ots-server ./ots-server/ ^

2. --values platform/default-k8s.yaml ^

3. --set OTSServer.javaOpts="-Xmx4096M -Dlog4j2.formatMsgNoLookups=true"

Note: If any modifications were made to the values.yaml for customizing javaOpts there then append the log4j property in the

values.yaml instead and perform the upgrade.

-----------------------------------------------

Process Designer

1. Shutdown Designer if running

2. Open startup.properties located in <OTS_HOME>/settings/

3. Find the designer mode section.

4. Add to designer.jvmargs "-Dlog4j2.formatMsgNoLookups=true"

5. Start Designer

The result should look like this (see line 44):

ApplicationXtender Integration:

The ApplicationXtender integration is typically made up of a Designer and a server such as Apache Tomcat.

For remediation instructions see those sections above.

Tracking Number

DEV-9824

Keywords

Log4J2 - CVE-2021-44228

OTDS

OTDS - The Log4j third-party libraryused by OpenText™ Directory Servicescontains a critical remote codeexecution vulnerability

Article ID:

KB19870219

Applies to:

Directory Services (OTDS) 20.1.1, 20.2.1, 20.2.2, 20.2.3, 20.3.1, 20.4.1, 20.4.2, 21.2.0, 21.3.0

Summary

The Log4j third-party component used by OpenText Directory to keep a record of activity within theapplication is affected by the Critical RCE Vulnerability: log4j -

CVE-2021-44228

A threat actor could potentially exploit this vulnerability to remotely execute unauthorized code on systems running OpenText Directory Services.

Resolution

Due to the threat posed by a successful attack, OpenText strongly recommends that customers follow the guidelines below as soon as possible:

Set -Dlog4j2.formatMsgNoLookups=true on Tomcat’s Java options

Back to Top

12/15/21, 10:36 AM KB19870219

https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/view/KB19870219/customer/article.html 2/2

It is also possible to update the log4j2 jar files with the fixed 2.15.0 version or later (preferably 2.17.0 or the latest provided by Apache) fromhttps://logging.apache.org/log4j/2.x/download.html:

/otdsws/WEB-INF/lib/log4j-api-2.X.X.jar

/otdsws/WEB-INF/lib/log4j-core-2.X.X.jar

-----------------------------------------------

ImageTrust

CVE-2021-44228 was issued on December 10, 2021. Image Access strongly recommends that customers follow the actions noted in the following sections.
ImageTrust Knowledge Base Article: https://cloud.imagetrust.com/jira/servicedesk/customer/kb/view/77398139

ImageTrust Batch Capture Application Server
As described in https://nvd.nist.gov/vuln/detail/CVE-2021-44228, we have updated the log4j-core-2* jar and removed the JndiLookup class from the classpath to mitigate this threat.

You must select the ImageTrust application server version from the list below and then:

• download the zip archive file with updated log4j libraries,
• stop all ImageTrust services,
• unzip and deploy to the ImageTrust root installation directory (you will be prompted to confirm the overwrite action for these library files)
• finally, restart all ImageTrust services.

For ImageTrust v6.1: https://www.imageaccesscorp.com/Files/Support/CVE-2021-44228/v61-updated-log4j-core-2.13.0.zip

For ImageTrust v6.0: https://www.imageaccesscorp.com/Files/Support/CVE-2021-44228/v60-updated-log4j-core-2.13.0.zip

For ImageTrust v5.2: https://www.imageaccesscorp.com/Files/Support/CVE-2021-44228/v52-updated-log4j-core-2.13.0.zip

For ImageTrust v5.1: https://www.imageaccesscorp.com/Files/Support/CVE-2021-44228/v51-updated-log4j-core-2.9.1.zip

Also note:

• The JndiLookup class is used by log4j-core only. As mentioned in https://nvd.nist.gov/vuln/detail/CVE-2021-44228, only the log4j-core-2*.jar needs to be updated on the ImageTrust application server.
  Similarly, the log4j-1.2* libraries used by the ImageTrust application server don't have this vulnerability. The JndiLookup feature was added in log4j-2.* project version.
• Earlier versions of ImageTrust application server (v4.2, v4.1, v3.0) do not use the log4j-2.* libraries.