CVE-2021-44228 - Remote Code Execution (RCE)
Severity: Critical2021-12-10
Abstract
Apache Log4j2 <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
See also https://www.oxygenxml.com/oxygen_xml_vulnerability_analysis_faq.html for more information.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v4.1 | Critical | Oxygen Content Fusion 4.1.4 build 2021121611 |
Oxygen Content Fusion v3.0 | Critical | Oxygen Content Fusion 3.0.1 build 2021121414 |
Oxygen Content Fusion v2.0 | Critical | Oxygen Content Fusion 2.0.3 build 2021121417 |
Oxygen XML Web Author v24.0.0 | Critical | Oxygen XML Web Author 24.0.0.2 build 2021121606 |
Oxygen XML Web Author from v23.0.0 to v23.1.1 | Critical | Oxygen XML Web Author 23.1.1.2 build 2021121408 |
Oxygen XML Web Author v22.1.0 | Critical | Oxygen XML Web Author 22.1.0.4 build 2021121415 |
Oxygen Feedback Enterprise 1.4.4 and older | Critical | Oxygen Feedback Enterprise 1.4.6 build 2021121512 |
Oxygen XML Publishing Engine v24.0 | Critical | Oxygen Publishing Engine 24.0 build 2021121611 |
Oxygen XML Publishing Engine v23.0 and v23.1 | Critical | Oxygen Publishing Engine 23.1 build 2021121413 |
Oxygen XML Publishing Engine v22.1 | Critical | Oxygen Publishing Engine 22.1 build 2021121712 |
Oxygen XML WebHelp v24.0 | Critical | Oxygen XML WebHelp 24.0 build 2021121511 |
Oxygen XML WebHelp v23.0 and v23.1 | Critical | Oxygen XML WebHelp 23.1 build 2021121412 |
Oxygen XML WebHelp v22.1 | Critical | Oxygen XML WebHelp 22.1 build 2021121712 |
Oxygen PDF Chemistry v24.0 | Critical | Oxygen PDF Chemistry 24.0 build 2021121611 |
Oxygen PDF Chemistry v23.0 and v23.1 | Critical | Oxygen PDF Chemistry 23.1 build 2021121413 |
Oxygen PDF Chemistry v22.1 | Critical | Oxygen PDF Chemistry 22.1 build 2021121712 |
Oxygen License Server from v22.1 to v24.0 | Critical | Oxygen License Server 24.0 build 2021121512 |
Oxygen XML Author v24.0 | Critical | Oxygen XML Author 24.0 build 2021121518 |
Oxygen XML Author v23.0 and v23.1 | Critical | Oxygen XML Author 23.1 build 2021121415 |
Oxygen XML Author v22.1 | Critical | Oxygen XML Author 22.1 build 2021121715 |
Oxygen XML Author between v16.1 and v22.0 | Critical | See mitigation section |
Oxygen XML Developer v24.0 | Critical | Oxygen XML Developer 24.0 build 2021121518 |
Oxygen XML Developer v23.0 and v23.1 | Critical | Oxygen XML Developer 23.1 build 2021121415 |
Oxygen XML Developer v22.1 | Critical | Oxygen XML Developer 22.1 build 2021121715 |
Oxygen XML Developer between v16.1 and v22.0 | Critical | See mitigation section |
Oxygen XML Editor v24.0 | Critical | Oxygen XML Editor 24.0 build 2021121518 |
Oxygen XML Editor v23.0 and v23.1 | Critical | Oxygen XML Editor 23.1 build 2021121415 |
Oxygen XML Editor v22.1 | Critical | Oxygen XML Editor 22.1 build 2021121715 |
Oxygen XML Editor between v16.1 and v22.0 | Critical | See mitigation section |
Oxygen SDK v22.1.0.0 | Critical | Update to version 22.1.0.6 |
Oxygen SDK from v23.0.0.0 to v23.1.0.0 | Critical | Update to version 23.1.0.4 |
Oxygen SDK v24.0.0.0 | Critical | Update to version v24.0.0.2 |
Web Author PDF Plugin v24.0.0.0 | Critical | Web Author PDF Plugin 24.0.0.1 |
Web Author PDF Plugin v23.0.0.0 | Critical | Web Author PDF Plugin 23.1.1.2 |
Oxygen Web Author Test Server Add-on between v22.1.0 and v24.0.0 | Critical | Update to version 22.1.1, 23.1.2 or 24.0.1 |
XSD to JSON Schema Converter between v22.0 and v24.0 | Critical | Update to version 22.1.1, 23.1.1 or 24.0.1 |
Git Client v3.0.0 and older | Critical | Update to version 3.0.1 |
Batch Documents Converter v3.2.0 and older | Critical | Update to version 3.2.1 |
Mitigation
First please check in the Affected Products/Versions table if a fix is available for your current version and update your installation to use the new maintenance build.
Otherwise, if you cannot upgrade the application, patch or update the Log4j library:
- If you are using Oxygen XML Editor/Author/Developer/Web Author, use the oxygen-log4j-patcher.
- If you are using Oxygen Content Fusion, use the content-fusion-log4j-patcher.
- For other scenarios:
- Scan your system for occurences of the log4j-core JAR file.
- Stop your running Java application (e.g. Oxygen XML Editor)
- Delete the JndiLookup class from those JAR files, for example using the
following command on a Linux system:
zip *.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For additional details please see also Log4Shell - Oxygen XML Vulnerability Analysis FAQ
Oxygen Web Author Test Server Add-on / XSD to JSON Schema Converter / Git Client /
Batch Documents Converter:
If you cannot upgrade to the updated fix
version, uninstall the plugin.
Detail
CVE-2021-44228
Severity: Critical
CVSS Score: 10
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44228 vulnerability description. However, we patched our public services against this vulnerability.
Revision History
2021-12-20 Add recommendation to use the oxygen-log4j-patcher and content-fusion-log4j-patcher as mitigation.
2021-12-17 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML
Author:
Starting with version 22.1 build 2021121715 the Apache Log4j
library was updated to version 2.16. This version is not affected anymore by this
vulnerability.
2021-12-17 Oxygen Publishing Engine:
Starting with version
22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is
not affected anymore by this vulnerability.
2021-12-17 Oxygen XML WebHelp:
Starting with version 22.1
build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-17 Oxygen PDF Chemistry:
Starting with version 22.1
build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-17 Updated the Mitigation section to match the latest mitigation recommendations from Apache Log4j.
2021-12-16 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML
Author:
Starting with version 24.0 build 2021121518 the Apache Log4j
library was updated to version 2.16. This version is not affected anymore by this
vulnerability.
2021-12-16 Oxygen XML Web Author:
Starting with version 24.0.0.2
build 2021121606 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-16 Oxygen Content Fusion:
Starting with version 4.1.4
build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-16 Oxygen Publishing Engine:
Starting with version
24.0 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is
not affected anymore by this vulnerability.
2021-12-16 Oxygen XML WebHelp:
Starting with version 24.0
build 2021121511 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-16 Oxygen PDF Chemistry:
Starting with version 24.0
build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-16 Oxygen License Server:
Starting with version 24.0
build 2021121512 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-15 Web Author PDF Plugin:
Starting with version 24.0.1
the Apache Log4j library was updated to version 2.15. This version is not affected anymore
by this vulnerability.
Starting with version 23.1.1.2 the Apache Log4j library was
updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-15 Oxygen Web Author Test Server Add-on:
Starting with
version 24.0.0.1 the Apache Log4j library was updated to version 2.15. This version is not
affected anymore by this vulnerability.
Starting with version 23.1.2 the Apache
Log4j library was updated to version 2.16. This version is not affected anymore by this
vulnerability.
Starting with version 22.1.1 the Apache Log4j library was updated to
version 2.16. This version is not affected anymore by this vulnerability.
2021-12-15 XSD to JSON Schema Converter:
Starting with version
24.0.1 the Apache Log4j library was updated to version 2.16. This version is not affected
anymore by this vulnerability.
Starting with version 23.1.1 the Apache Log4j library
was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-15 Git Client:
Starting with version 3.0.1 the Apache
Log4j library was updated to version 2.16. This version is not affected anymore by this
vulnerability.
2021-12-15 Batch Documents Converter:
Starting with version
3.2.1 the Apache Log4j library was updated to version 2.16. This version is not affected
anymore by this vulnerability.
2021-12-14 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML
Author:
Starting with version 24.0 build 2021121317 the Apache Log4j
library was updated to version 2.15. This version is not affected anymore by this
vulnerability.
Starting with version 23.1 build 2021121415 the Apache Log4j library
was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen XML Web Author:
Starting with version 24.0.0
build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not
affected anymore by this vulnerability.
Starting with version 23.1.1.2 build
2021121408 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-14 Oxygen Content Fusion:
Starting with version 4.1.3
build 2021121315 the Apache Log4j library was updated to version 2.15. This version is not
affected anymore by this vulnerability.
Starting with version 3.0.1 build
2021121414 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-14 Oxygen Feedback Enterprise:
Starting with version
1.4.5 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is
not affected anymore by this vulnerability.
2021-12-14 Oxygen Publishing Engine:
Starting with version
24.0 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is
not affected anymore by this vulnerability.
Starting with version 23.1 build
2021121413 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-14 Oxygen XML WebHelp:
Starting with version 24.0
build 2021121311 the Apache Log4j library was updated to version 2.15. This version is not
affected anymore by this vulnerability.
Starting with version 23.0 build 2021121412
the Apache Log4j library was updated to version 2.16. This version is not affected anymore
by this vulnerability.
2021-12-14 Oxygen PDF Chemistry:
Starting with version 24.0
build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not
affected anymore by this vulnerability.
Starting with version 23.1 build 2021121413
the Apache Log4j library was updated to version 2.16. This version is not affected anymore
by this vulnerability.
2021-12-14 Oxygen License Server:
Starting with version 24.0
build 2021121311 the Apache Log4j library was updated to version 2.15. This version is not
affected anymore by this vulnerability.
2021-12-13 Updated mitigation procedure and linked FAQ web page for more information.