Cookie Consent by FreePrivacyPolicy for i-Sprint Innovations

Support

Support2022-11-30T16:37:08+08:00

Login to Support Portal

Software Maintenance and Support Services

i-Sprint’s Global Software Maintenance and Support Services (“GSS”) defines the scope of maintenance and support services (“Maintenance Services”) agreed between i-Sprint Innovations Pte Ltd or its group of companies (“i-Sprint”) and Customer for i-Sprint’s software product and solution offerings, namely, ‘AccessMatrix’, ‘AccessReal’, and ‘YESsafe’.

The GSS and i-Sprint’s end-user software license agreement (“EULA”) both form an integral part of the applicable agreements between i-Sprint and Customer.

Technical support may no longer be offered for non-shipping versions of any of i-Sprint’s software products. i-Sprint reserves the right to revise the product support policy, at any time, without prior notice.

This page consists of the following tabs

  • General Announcement  – contains the latest update on product and security related information
  • Services & Legal/ Support Documents  – contains the service, legal and support documents

Apache Java Logging Library Log4j2 Vulnerabilities and Mitigation (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)2021-12-22T21:43:42+08:00

Summary

There are vulnerabilities in the Apache Log4j2 open-source library used by AccessMatrix. Only AccessMatrix version 5.6.5 & later are affected by the Log4j2 vulnerabilities.

i-Sprint recommends our customers using AccessMatrix AM Server and other AM Web Applications (CLP / OAuthProxy / USO Server / USO SSF / UAS TAP) version 5.6.5 or later to take note of the following information to mitigate the vulnerabilities.

Vulnerability Information

AccessMatrix version 5.6.5 or later, i.e. 5.6.5 to 5.7.1, is bundled with Apache Log4j2 2.11.2 or later. These versions are affected by the recent Apache Log4j2 security vulnerabilities. In the bundled Apache Tomcat deployment, the affected versions are by default bundled with Java 8 or above. Apache has provided patches to address the Log4j2 vulnerabilities issue:

  • CVE-2021-44228 – AccessMatrix 5.6.5 or later is affected; Apache has released Log4j2 2.15.0 as permanent mitigation, and AccessMatrix 5.6.5 or later supports direct patching of bundled Log4j2 to this Log4j2 2.15.0.
  • CVE-2021-45046 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.16.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.16.0.
  • CVE-2021-45105 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.17.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.17.0.

Conclusion:

  • For AccessMatrix 5.6.5 or later (and using Java 8 or later), patch directly AccessMatrix bundled Log4j2 to 2.17.0 as direct permanent mitigation to the above-published security vulnerabilities.
  • For AccessMatrix 5.6.5 or later (and using Java 7 or earlier), please consult i-Sprint’s global support consultant.
  • For AccessMatrix 5.6.4 or earlier, NO action is needed.

Instructions

You should first find out the current AccessMatrix version to determine if it is affected by the abovementioned Log4j2 vulnerabilities. To do so, access the AccessMatrix Admin Console and then click on the ‘Help’ -> ‘About’ menu option. You should be able to see the current AM Server version shown on the ‘About AccessMatrix’ dialog box.

Please download the following patched files by clicking on the link:

If you are unable to download the patched files from the above link, you may download them from Apache official website at https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip

Once downloaded the patched files, please patch the three JARs as described below:

  1. For each AM Server service running in high availability (HA) architecture, you should apply the following to each server in turn.
  2. Stop AM Server service.
  3. Remove the following three files from am5/WEB-INF/lib (for backing up, you must move the three files to another folder outside of the current am5 web app folder):
    • oss-org-apache-log4j-core-2.12.0.jar or log4j-core-2.12.0.jar
    • oss-org-apache-log4j-api-2.12.0.jar or log4j-api-2.12.0.jar
    • oss-org-apache-log4j-1.2-api-2.12.0.jar or log4j-1.2-api-2.12.0.jar
  1. Copy the following three files (from the downloaded patched files) to am5/WEB-INF/lib:
    • oss-org-apache-log4j-core-2.17.0.jar
    • oss-org-apache-log4j-api-2.17.0.jar
    • oss-org-apache-log4j-1.2-api-2.17.0.jar

Note: If you have downloaded the patched files from the Apache official website, you will have to rename the above mentioned three files accordingly.

  1. If there are web apps other than ‘am5’, replace the JAR files (refer to steps 3 and 4) in each web app’s /WEB-INF/lib folder.
  2. If you have applied the JVM parameter ‘-Dlog4j2.noFormatMsgLookup=true’ in earlier patching activity, you may remove such JVM parameter.
  3. Start AM Server service.

If you encountered any issue downloading the patch file or any of the mentioned steps, please contact i-Sprint’s support at support@i-sprint.com

Disclaimer


Website Contents

The information contained on this website, including without limitation, “Product Release & Support” and any reference data (“Contents”), should not be interpreted as legally binding commitments, but rather as flexible information subject to change from time to time. The Contents are for information purposes only. I-SPRINT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, BY POSTING THE CONTENTS ON THIS WEBSITE.

Addition, Modification, and Deletion

i-Sprint may add, modify or delete any of the information on this website from time to time without providing any notice. Please check out i-Sprint online information periodically to keep informed of any updates.

The information on this page is subject to the Disclaimer.

Last modified:11/Oct/2022

Go to Top