Summary

There are vulnerabilities in the Apache Log4j2 open-source library used by AccessMatrix. Only AccessMatrix version 5.6.5 & later are affected by the Log4j2 vulnerabilities.

i-Sprint recommends our customers using AccessMatrix AM Server and other AM Web Applications (CLP / OAuthProxy / USO Server / USO SSF / UAS TAP) version 5.6.5 or later to take note of the following information to mitigate the vulnerabilities.

Vulnerability Information

AccessMatrix version 5.6.5 or later, i.e. 5.6.5 to 5.7.1, is bundled with Apache Log4j2 2.11.2 or later. These versions are affected by the recent Apache Log4j2 security vulnerabilities. In the bundled Apache Tomcat deployment, the affected versions are by default bundled with Java 8 or above. Apache has provided patches to address the Log4j2 vulnerabilities issue:

  • CVE-2021-44228 – AccessMatrix 5.6.5 or later is affected; Apache has released Log4j2 2.15.0 as permanent mitigation, and AccessMatrix 5.6.5 or later supports direct patching of bundled Log4j2 to this Log4j2 2.15.0.
  • CVE-2021-45046 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.16.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.16.0.
  • CVE-2021-45105 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.17.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.17.0.

Conclusion:

  • For AccessMatrix 5.6.5 or later (and using Java 8 or later), patch directly AccessMatrix bundled Log4j2 to 2.17.0 as direct permanent mitigation to the above-published security vulnerabilities.
  • For AccessMatrix 5.6.5 or later (and using Java 7 or earlier), please consult i-Sprint’s global support consultant.
  • For AccessMatrix 5.6.4 or earlier, NO action is needed.

Instructions

You should first find out the current AccessMatrix version to determine if it is affected by the abovementioned Log4j2 vulnerabilities. To do so, access the AccessMatrix Admin Console and then click on the ‘Help’ -> ‘About’ menu option. You should be able to see the current AM Server version shown on the ‘About AccessMatrix’ dialog box.

Please download the following patched files by clicking on the link:

If you are unable to download the patched files from the above link, you may download them from Apache official website at https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip

Once downloaded the patched files, please patch the three JARs as described below:

  1. For each AM Server service running in high availability (HA) architecture, you should apply the following to each server in turn.
  2. Stop AM Server service.
  3. Remove the following three files from am5/WEB-INF/lib (for backing up, you must move the three files to another folder outside of the current am5 web app folder):
    • oss-org-apache-log4j-core-2.12.0.jar or log4j-core-2.12.0.jar
    • oss-org-apache-log4j-api-2.12.0.jar or log4j-api-2.12.0.jar
    • oss-org-apache-log4j-1.2-api-2.12.0.jar or log4j-1.2-api-2.12.0.jar
  1. Copy the following three files (from the downloaded patched files) to am5/WEB-INF/lib:
    • oss-org-apache-log4j-core-2.17.0.jar
    • oss-org-apache-log4j-api-2.17.0.jar
    • oss-org-apache-log4j-1.2-api-2.17.0.jar

Note: If you have downloaded the patched files from the Apache official website, you will have to rename the above mentioned three files accordingly.

  1. If there are web apps other than ‘am5’, replace the JAR files (refer to steps 3 and 4) in each web app’s /WEB-INF/lib folder.
  2. If you have applied the JVM parameter ‘-Dlog4j2.noFormatMsgLookup=true’ in earlier patching activity, you may remove such JVM parameter.
  3. Start AM Server service.

If you encountered any issue downloading the patch file or any of the mentioned steps, please contact i-Sprint’s support at support@i-sprint.com