Login/Register
  • Home
  • Community
  • Knowledge
  • Technical Docs
  • RWS Support Policy
  • Trados Studio Licensing Help
  • Login for Support
Back to Search Results

Log4j vulnerability impact on Tridion Docs 14 and other versions

000017713 |1/17/2022 12:08 PM
Scope/Environment
Tridion Docs Log4j
Symptoms/Context
Is Tridion Docs affected by the CVE-2021-44228 log4j vulnerability?
 
Resolution
No version of Tridion Docs is using the affected versions of log4j:
 
Tridion Docs Product VersionComponentVulnerability
2014/11.0.x, 2016/12.0.xDITA-OT 1.8.5n/a
13/13.0.x, 14/14.0.xDITA-OT 2.3n/a
14SP2/14.0.2FontoDeltaXML/Document Historyn/a
2014/11.0.x, 2016/12.0.x, 13/13.0.x, 14/14.0.xSolr (Search)n/a
10.1.x, 11.0.x,  11.1.x, 11.5.x, 11.6.xContent Deliveryn/a
AllDD4T/DXA (Dynamic Delivery)n/a
2014/11.0.x, 2016/12.0.x, 13/13.0.x, 14/14.0.xAuthoring Bridge for Oxygen

Oxygen Xml Editor mitigation and solution duplicated here as described on Oxygen CVE-2021-44228 Mitigation This link holds exact information on how to configure it.

1. To set a system property, edit the application launcher and add a parameter after the <%OXYGEN_JAVA%> token, using the following form:

-Dlog4j2.formatMsgNoLookups=true

2. You can also set a system property through a parameter prefixed with <-Doxy> in the command line used to start the application:

oxygen20.1.exe "-Dlog4j2.formatMsgNoLookups=true"

3. Restart all Oxygen instances. All system properties are displayed in the System properties tab of the About dialog box to verify if they are active.

NB: Oxygen now offer a patcher for this - https://github.com/oxygenxml/oxygen-log4j-patcher


With regards to XML Editors this is only affected from DITA-OT it is mostly also Log4J version 1 and is hence not affected.
  • Oxygen see - https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html  from Synchro Soft (this has a fix for the latest releases and mitigation (see above) for older releases. 
    • For Oxygen XML editor see the patcher they now offer - https://github.com/oxygenxml/oxygen-log4j-patcher
  • XMetal - contact Just Systems support for any patches required. 
For On-site customers please ensure any DITA-OT/customisations which may be using log4j (Details in the Reference section).

For all other RWS products see - https://gateway.sdl.com/communityknowledge?articleName=000017712
Root Cause
Reference
Log4J RCE - CVE-2021-44228 and affects version 2 of log4j between versions 2.0-beta-9 and 2.14.1. 
It is not present in version 1 of log4j and is patched in 2.15.0.

Mitigation Guidance
• Upgrade log4j 2 to the latest version, specifically log4j-2.15.0-rc2 or newer.
• According to Apache’s guidance, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Additional Resources
• Official Mitre CVE description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
• Community sourced list of impacted applications and services: https://github.com/YfryTchsGD/Log4jAttackSurface
• CISA Alert: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

Some info about the Log4j vulnerability: 
https://cybernews.com/news/log4j-vulnerability-a-bombshell-zero-day-exploit-with-global-impact/
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://nvd.nist.gov/vuln/detail/CVE-2021-44228)


20211214 Status Update 
Log4J vulnerability also known as Log4Shell or Log4Shock has been analyzed by the team. In short Tridion Docs is not affected by this vulnerability. Below the highlights of Java-based components in the Tridion Docs product suite. 

 
Affected Tridion Docs Product VersionComponentDescriptionMitigation
2014/11.0.x, 2016/12.0.xDITA-OT 1.8.5DITA Open Toolkit is the rendering engine that transform OASIS DITA XML into downstream OutputFormats. In general, as confirmed by main contributor Jarno Elovirta on Apache Log4j2 Zero-Day Exploit (CVE-2021-44228) · Issue #3836 · dita-ot/dita-ot, the DITA-OT engine is not affected by Log4Shell. Remember that many customers choose a DITA-OT version of their liking extended with custom plugins - this should be verified by their integrator.n/a
13/13.0.x, 14/14.0.xDITA-OT 2.3DITA Open Toolkit is the rendering engine that transform OASIS DITA XML into downstream OutputFormats. In general, as confirmed by main contributor Jarno Elovirta on Apache Log4j2 Zero-Day Exploit (CVE-2021-44228) · Issue #3836 · dita-ot/dita-ot, the DITA-OT engine is not affected by Log4Shell. Remember that many customers choose a DITA-OT version of their liking extended with custom plugins - this should be verified by their integrator.n/a
14SP2/14.0.2FontoDeltaXmlDocument History in Draft Space relies on the DeltaXml comparison engine hosted by Jetty 9.4.26. This combination only shipped in Tridion Docs 14SP2/14.0.2. Partner Fonto confirmed that: "None of the shipping Fonto software is vulnerable to Log4Shock (CVE-2021-44228). This includes the deprecated DeltaXML images."n/a
2014/11.0.x, 2016/12.0.x, 13/13.0.x, 14/14.0.xSolrTrisoft Solr Lucene is the service that hosts the Full-Text-Index of the Tridion Docs repository powering the Search engine. Solr is hosted by Jetty 9.4.26 and is not affected. The packaged Solr version is not listed on https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 and still relies on Solr4J version 1.
Log4J version 1 can be customized to a vulnerable position for installations using non-default logging configurations that include the JMS Appender as described on Apache Log4j2 Zero-Day Exploit (CVE-2021-44228) · Issue #3836 · dita-ot/dita-ot and  https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html. By default the system only uses console and file logging and hence Log4J version 1 is not affected.		n/a
10.1.x, 11.0.x,  11.1.x, 11.5.x, 11.6.xContent DeliveryDynamic Experience Delivery (DXD) or Universal Delivery Platform (UDP) is the Content Delivery (CD) platform that Tridion Docs and Tridion Sites shares. No version is vulnerable. The configured log engine is Logback. The included the log4j-api JAR in our services, this is not the file that has the vulnerability.n/a
AllDD4T/DXADynamic Experience Accelerator (DXA) libraries are building blocks to create a custom web application – these libraries do not include Log4J by default. This should be verified by their integrator.n/a
2014/11.0.x, 2016/12.0.x, 13/13.0.x, 14/14.0.xAuthoring Bridge for OxygenOxygen Xml Editor is a java-based editor with extension points. This editor is installed on client machines - not server-side - and is extended with a Java/.NET-based CMS plugin we ship as Authoring Bridge for Oxygen Xml Editor.
Inside the glue code that connects the Java-based editor with the .NET based Authoring Bridge, we make use of .NET-based logging in packages TrisoftAuthoringBridge-14.0.jar, TrisoftDITAFramework-14.0.jar and TrisoftPlugin-14.0.jar relying on log4j-core-2.14.0.jar over the AuthoringBridge components. So our AuthoringBridge is not affected by Log4J vulnerabilities.
Remaining mitigation and solution of java-based Oxygen Xml Editor first as described on https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html is strongly advised.		Oxygen Xml Editor mitigation and solution duplicated here as described on https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html 
1. To set a system property, edit the application launcher and add a parameter after the <%OXYGEN_JAVA%> token, using the following form: 
-Dlog4j2.formatMsgNoLookups=true
2. You can also set a system property through a parameter prefixed with <-Doxy> in the command line used to start the application: 
oxygen20.1.exe "-Dlog4j2.formatMsgNoLookups=true"
3. Restart all Oxygen instances. All system properties are displayed in the System properties tab of the About dialog box to verify if they are active.
 

20211215 Status Update

Log4J vulnerability - see https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228 , https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://www.lunasec.io/docs/blog/log4j-zero-day/ - also known as Log4Shell or Log4Shock has been analyzed by the team.

  • Tridion Docs server-side is not affected by this vulnerability out of the box. Beware that DITA-OT is the most likely customization that includes custom plugins based on Log4J.
  • Tridion Docs client-side is not affected by this vulnerability out of the box. Beware that Oxygen Xml Editor is vulnerable as described on https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html - this link contains the mitigation.

There are many public resources to navigate like https://nvd.nist.gov/vuln/detail/CVE-2021-44228 or https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228 Important is that technically only log4j-core-*.jar is vulnerable as it contains JndiLookup.class between version 2.0-beta9 (including) and 2.15.0 (excluding).

  1. Besides fixing Log4J by upgrading the JAR libraries at least 2.15.0 or preferably latest (at time of writing 2.16.0) as the default behavior has toggled to disabled in this version.
  2. Mitigation when using a version higher or equal to 2.10.0 is to set system property "log4j2.formatMsgNoLookups" to “true”
  3. Mitigation on or prior to 2.10.0 is by removing the JndiLookup class from the classpath example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

So false positives are files that state Log4J like

  • *.properties text files like jetty-logging.properties
  • *.mod files text like log4j2-api.mod
  • log4j-api-*.jar archives as they offer the application-program-interface to interact with the logging engine but is not affected
  • Simple Logging Facade for Java (SLF4J) mentions log4j as one of the logging engines it supports. See http://slf4j.org/log4shell.html

•             IMPORTANT: Critical Apache Log4J2 CVE-2021-44228 Vulnerability (Log4Shell) holds links to all products, the Tridion Docs one is Log4j vulnerability impact on Tridion Docs 14 and other versions
•             https://community.veracode.com/s/question/0D53n00008GoHa4CAF/important-consolidated-post-regarding-veracode-guidance-support-for-log4j-vulnerability


 
Send Article Feedback
RWS Machine Translation Translation Software Language Services Content Management
All Contents Copyright © RWS.
COPYRIGHT PRIVACY POLICY COOKIE POLICY TERMS AND CONDITIONS