CVE-2021-44228 - Remote Code Execution (RCE)

Severity: Critical2021-12-10

Security Advisories

Abstract

Apache Log4j2 <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

See also https://www.oxygenxml.com/oxygen_xml_vulnerability_analysis_faq.html for more information.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v4.1Critical Oxygen Content Fusion 4.1.4 build 2021121611
Oxygen Content Fusion v3.0Critical Oxygen Content Fusion 3.0.1 build 2021121414
Oxygen Content Fusion v2.0Critical Oxygen Content Fusion 2.0.3 build 2021121417
Oxygen XML Web Author v24.0.0Critical Oxygen XML Web Author 24.0.0 build 2021121314
Oxygen XML Web Author from v23.0.0 to v23.1.1Critical Oxygen XML Web Author 23.1.1.2 build 2021121408
Oxygen XML Web Author v22.1.0 Critical Oxygen XML Web Author 22.1.0.4 build 2021121415
Oxygen Feedback Enterprise 1.4.4 and olderCritical Oxygen Feedback Enterprise 1.4.5 build 2021121314
Oxygen XML Publishing Engine v24.0Critical Oxygen Publishing Engine 24.0 build 2021121611
Oxygen XML Publishing Engine v23.0 and v23.1Critical Oxygen Publishing Engine 23.1 build 2021121413
Oxygen XML Publishing Engine v22.1Critical Oxygen Publishing Engine 22.1 build 2021121712
Oxygen XML WebHelp v24.0Critical Oxygen XML WebHelp 24.0 build 2021121511
Oxygen XML WebHelp v23.0 and v23.1Critical Oxygen XML WebHelp 23.1 build 2021121412
Oxygen XML WebHelp v22.1Critical Oxygen XML WebHelp 22.1 build 2021121712
Oxygen PDF Chemistry v24.0Critical Oxygen PDF Chemistry 24.0 build 2021121611
Oxygen PDF Chemistry v23.0 and v23.1Critical Oxygen PDF Chemistry 23.1 build 2021121413
Oxygen PDF Chemistry v22.1Critical Oxygen PDF Chemistry 22.1 build 2021121712
Oxygen License Server from v22.1 to v24.0Critical Oxygen License Server 24.0 build 2021121311
Oxygen XML Author v24.0Critical Oxygen XML Author 24.0 build 2021121518
Oxygen XML Author v23.0 and v23.1Critical Oxygen XML Author 23.1 build 2021121415
Oxygen XML Author v22.1Critical Oxygen XML Author 22.1 build 2021121715
Oxygen XML Author between v16.1 and v22.0CriticalSee mitigation section
Oxygen XML Developer v24.0Critical Oxygen XML Developer 24.0 build 2021121518
Oxygen XML Developer v23.0 and v23.1Critical Oxygen XML Developer 23.1 build 2021121415
Oxygen XML Developer v22.1Critical Oxygen XML Developer 22.1 build 2021121715
Oxygen XML Developer between v16.1 and v22.0CriticalSee mitigation section
Oxygen XML Editor v24.0Critical Oxygen XML Editor 24.0 build 2021121518
Oxygen XML Editor v23.0 and v23.1Critical Oxygen XML Editor 23.1 build 2021121415
Oxygen XML Editor v22.1Critical Oxygen XML Editor 22.1 build 2021121715
Oxygen XML Editor between v16.1 and v22.0CriticalSee mitigation section
Oxygen SDK v22.1.0.0Critical Update to version 22.1.0.6
Oxygen SDK from v23.0.0.0 to v23.1.0.0Critical Update to version 23.1.0.4
Oxygen SDK v24.0.0.0Critical Update to version v24.0.0.2
Web Author PDF Plugin v24.0.0.0Critical Web Author PDF Plugin 24.0.0.1
Web Author PDF Plugin v23.0.0.0Critical Web Author PDF Plugin 23.1.1.2
Oxygen Web Author Test Server Add-on between v22.1.0 and v24.0.0Critical Update to version 22.1.1, 23.1.2 or 24.0.1
XSD to JSON Schema Converter between v22.0 and v24.0Critical Update to version 22.1.1, 23.1.1 or 24.0.1
Git Client v3.0.0 and olderCritical Update to version 3.0.1
Batch Documents Converter v3.2.0 and olderCritical Update to version 3.2.1

Mitigation

First please check in the Affected Products/Versions table if a fix is available for your current version and update your installation to use the new maintenance build.

Otherwise, if you cannot upgrade the application, patch or update the Log4j library:

  • If you are using Oxygen XML Editor/Author/Developer/Web Author, use the oxygen-log4j-patcher.
  • If you are using Oxygen Content Fusion, use the content-fusion-log4j-patcher.
  • For other scenarios:
    • Scan your system for occurences of the log4j-core JAR file.
    • Stop your running Java application (e.g. Oxygen XML Editor)
    • Delete the JndiLookup class from those JAR files, for example using a the following command on a Linux system:
      zip *.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

For additional details please see also Log4Shell - Oxygen XML Vulnerability Analysis FAQ

Oxygen Web Author Test Server Add-on / XSD to JSON Schema Converter / Git Client / Batch Documents Converter:
If you cannot upgrade to the updated fix version, uninstall the plugin.

Detail

CVE-2021-44228

Severity: Critical

CVSS Score: 10

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44228 vulnerability description. However, we patched our public services against this vulnerability.

Revision History

2021-12-20 Add recommendation to use the oxygen-log4j-patcher and content-fusion-log4j-patcher as mitigation.

2021-12-17 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML Author:
Starting with version 22.1 build 2021121715 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-17 Oxygen Publishing Engine:
Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-17 Oxygen XML WebHelp:
Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-17 Oxygen PDF Chemistry:
Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-17 Updated the Mitigation section to match the latest mitigation recommendations from Apache Log4j.

2021-12-16 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML Author:
Starting with version 24.0 build 2021121518 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-16 Oxygen XML Web Author:
Starting with version 24.0.0 build 2021121314 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-16 Oxygen Content Fusion:
Starting with version 4.1.4 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-16 Oxygen Publishing Engine:
Starting with version 24.0 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-16 Oxygen XML WebHelp:
Starting with version 24.0 build 2021121511 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-16 Oxygen PDF Chemistry:
Starting with version 24.0 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-16 Oxygen License Server:
Starting with version 24.0 build 2021121311 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-15 Web Author PDF Plugin:
Starting with version 24.0.1 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
Starting with version 23.1.1.2 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-15 Oxygen Web Author Test Server Add-on:
Starting with version 24.0.0.1 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
Starting with version 23.1.2 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
Starting with version 22.1.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-15 XSD to JSON Schema Converter:
Starting with version 24.0.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
Starting with version 23.1.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-15 Git Client:
Starting with version 3.0.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-15 Batch Documents Converter:
Starting with version 3.2.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-14 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML Author:
Starting with version 24.0 build 2021121317 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
Starting with version 23.1 build 2021121415 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-14 Oxygen XML Web Author:
Starting with version 24.0.0 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
Starting with version 23.1.1.2 build 2021121408 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-14 Oxygen Content Fusion:
Starting with version 4.1.3 build 2021121315 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
Starting with version 3.0.1 build 2021121414 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-14 Oxygen Feedback Enterprise:
Starting with version 1.4.5 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.

2021-12-14 Oxygen Publishing Engine:
Starting with version 24.0 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
Starting with version 23.1 build 2021121413 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-14 Oxygen XML WebHelp:
Starting with version 24.0 build 2021121311 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
Starting with version 23.0 build 2021121412 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-14 Oxygen PDF Chemistry:
Starting with version 24.0 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
Starting with version 23.1 build 2021121413 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.

2021-12-14 Oxygen License Server:
Starting with version 24.0 build 2021121311 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.

2021-12-13 Updated mitigation procedure and linked FAQ web page for more information.

List of Security Advisories