Log4j CVE-2021-44228 vulnerability impact on MultiTrans products
000017739|12/14/2021 10:12 PM
MultiTrans Flow version 6.x and above
A critical vulnerability was discovered in Log4j, a widely used Apache logging framework. This library is used in applications worldwide, including Flow, which is vulnerable to exploitation of this Apache bug.
MultiTrans does not use Java, so it is not affected by this vulnerability and no action is required. Flow is affected by this vulnerability, and if it is installed on your server, we encourage you to mitigate the risk immediately.
To check whether Flow is installed on your server, look for MultiTrans Flow in the list of installed programs:
Based on the information that is currently available, versions 1.x of log4j are not vulnerable to CVE-2021-44228, therefore MultiTrans Flow version 5.7 is not vulnerable to this particular exploit. It should be noted, that both MultiTrans Flow 5.7 and versions 1.x of log4j are end-of-life and no longer supported.
Steps to mitigate this vulnerability:
Stop the MultiTrans Flow service.
Add the parameter -Dlog4j2.formatMsgNoLookups=true to –JvmOptions in C:\Program Files\Donnelley\MultiTrans Flow 64\service_install.bat.
Copy the attached log4j2.xml file to C:\Program Files\Donnelley\MultiTrans Flow 64\JBoss - EWS\share\apache-tomcat-X.X.XX\webapps\ROOT\WEB-INF\classes, where X.X.XX is the precise Apache Tomcat version number that you have installed.
Run as administrator the service_remove.bat file at C:\Program Files\Donnelley\MultiTrans Flow 64\.
Run as administrator the previously edited service_install.bat at C:\Program Files\Donnelley\MultiTrans Flow 64\.
Start the MultiTrans Flow service.
You can validate that the above steps were successful by monitoring the log file at C:\Program Files\Donnelley\MultiTrans Flow 64\runtime\logs\error.log. The following will appear:
INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=true
This configuration change will be added by default to the January release of MultiTrans 7.0, therefore following that release, MultiTrans will not be susceptible to this exploit. The Java framework in MultiTrans will also be upgraded in the January release for security purposes.
The Log4J library will be updated in a future release of MultiTrans, following a full investigation of the ramifications of this upgrade.