CVE-2021-45046 - Remote Code Execution (RCE)
Severity: Low2021-12-15
Abstract
It was found that the fix to address CVE-2021-44228 in Apache Log4j
2.15.0 was incomplete in certain non-default configurations. This could allows attackers
with control over Thread Context Map (MDC) input data when the logging configuration uses a
non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a
Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI
Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI
LDAP lookups to localhost by default. Note that previous mitigations involving configuration
such as to set the system property log4j2.noFormatMsgLookup to true do NOT
mitigate this specific vulnerability.
The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v4.1 | Low | Oxygen Content Fusion 4.1.4 build 2021121611 |
| Oxygen Content Fusion v3.0 | Low | Oxygen Content Fusion 3.0.1 build 2021121414 |
| Oxygen Content Fusion v2.0 | Low | Oxygen Content Fusion 2.0.3 build 2021121417 |
| Oxygen XML Web Author v24.0.0 | Low | Oxygen XML Web Author 24.0.0.2 build 2021121606 |
| Oxygen XML Web Author from v23.0.0 to v23.1.1 | Low | Oxygen XML Web Author 23.1.1.2 build 2021121408 |
| Oxygen XML Web Author v22.1.0 | Low | Oxygen XML Web Author 22.1.0.4 build 2021121415 |
| Oxygen Feedback Enterprise 1.4.5 and older | Low | Oxygen Feedback Enterprise 1.4.6 build 2021121512 |
| Oxygen XML Publishing Engine v24.0 | Low | Oxygen Publishing Engine 24.0 build 2021121611 |
| Oxygen XML Publishing Engine v23.0 and v23.1 | Low | Oxygen Publishing Engine 23.1 build 2021121413 |
| Oxygen XML Publishing Engine v22.1 | Low | Oxygen Publishing Engine 22.1 build 2021121712 |
| Oxygen XML WebHelp v24.0 | Low | Oxygen XML WebHelp 24.0 build 2021121511 |
| Oxygen XML WebHelp v23.0 and v23.1 | Low | Oxygen XML WebHelp 23.1 build 2021121412 |
| Oxygen XML WebHelp v22.1 | Low | Oxygen XML WebHelp 22.1 build 2021121712 |
| Oxygen PDF Chemistry v24.0 | Low | Oxygen PDF Chemistry 24.0 build 2021121611 |
| Oxygen PDF Chemistry v23.0 and v23.1 | Low | Oxygen PDF Chemistry 23.1 build 2021121413 |
| Oxygen PDF Chemistry v22.1 | Low | Oxygen PDF Chemistry 22.1 build 2021121712 |
| Oxygen License Server from v22.1 to v24.0 | Low | Oxygen License Server 24.0 build 2021121512 |
| Oxygen XML Author v24.0 | Low | Oxygen XML Author 24.0 build 2021121518 |
| Oxygen XML Author v23.0 and v23.1 | Low | Oxygen XML Author 23.1 build 2021121415 |
| Oxygen XML Author v22.1 | Low | Oxygen XML Author 22.1 build 2021121715 |
| Oxygen XML Author between v16.1 and v22.0 | Low | See mitigation section |
| Oxygen XML Developer v24.0 | Low | Oxygen XML Developer 24.0 build 2021121518 |
| Oxygen XML Developer v23.0 and v23.1 | Low | Oxygen XML Developer 23.1 build 2021121415 |
| Oxygen XML Developer v22.1 | Low | Oxygen XML Developer 22.1 build 2021121715 |
| Oxygen XML Developer between v16.1 and v22.0 | Low | See mitigation section |
| Oxygen XML Editor v24.0 | Low | Oxygen XML Editor 24.0 build 2021121518 |
| Oxygen XML Editor v23.0 and v23.1 | Low | Oxygen XML Editor 23.1 build 2021121415 |
| Oxygen XML Editor v22.1 | Low | Oxygen XML Editor 22.1 build 2021121715 |
| Oxygen XML Editor between v16.1 and v22.0 | Low | See mitigation section |
| Oxygen SDK v22.1.0.0 | Low | Update to version 22.1.0.6 |
| Oxygen SDK from v23.0.0.0 to v23.1.0.0 | Low | Update to version 23.1.0.4 |
| Oxygen SDK v24.0.0.0 | Low | Update to version v24.0.0.2 |
| Web Author PDF Plugin v24.0.0.0 | Low | Web Author PDF Plugin 24.0.0.2 |
| Web Author PDF Plugin v23.0.0.0 | Low | Web Author PDF Plugin 23.1.1.2 |
| Oxygen Web Author Test Server Add-on between v22.1.0 and v24.0.0 | Low | Update to version 22.1.1, 23.1.2 or 24.0.1 |
| XSD to JSON Schema Converter between v22.0 and v24.0 | Low | Update to version 22.1.1, 23.1.1 or 24.0.1 |
| Git Client v3.0.0 and older | Low | Update to version 3.0.1 |
| Batch Documents Converter v3.2.0 and older | Low | Update to version 3.2.1 |
Mitigation
This behavior can be mitigated by removing the the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Detail
CVE-2021-45046
Severity: Critical
CVSS Score: 9.0
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45046 vulnerability description. However, our default configuration doe not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.
Revision History
2021-12-21 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML
Author:
Starting with version 24.0 build 2021121518 the Apache Log4j
library was updated to version 2.16. This version is not affected anymore by this
vulnerability.
Starting with version 23.1 build 2021121415 the Apache Log4j library
was updated to version 2.16. This version is not affected anymore by this vulnerability.
Starting with version 22.1 build 2021121715 the Apache Log4j
library was updated to version 2.16. This version is not affected anymore by this
vulnerability.
2021-12-21 Oxygen XML Web Author:
Starting with version 24.0.0
build 2021121314 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
Starting with version 23.1.1.2 build
2021121408 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-21 Oxygen Content Fusion:
Starting with version 4.1.4
build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
Starting with version 3.0.1 build
2021121414 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-21 Oxygen Feedback Enterprise:
Starting with version
1.4.5 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is
not affected anymore by this vulnerability.
2021-12-21 Oxygen Publishing Engine:
Starting with version
24.0 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is
not affected anymore by this vulnerability.
Starting with version 23.1 build
2021121413 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
Starting with version
22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is
not affected anymore by this vulnerability.
2021-12-21 Oxygen XML WebHelp:
Starting with version 24.0
build 2021121511 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
Starting with version 23.0 build 2021121412
the Apache Log4j library was updated to version 2.16. This version is not affected anymore
by this vulnerability.
Starting with version 22.1
build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-21 Oxygen PDF Chemistry:
Starting with version 24.0
build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
Starting with version 23.1 build 2021121413
the Apache Log4j library was updated to version 2.16. This version is not affected anymore
by this vulnerability.
Starting with version 22.1
build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-21 Oxygen License Server:
Starting with version 24.0
build 2021121311 the Apache Log4j library was updated to version 2.16. This version is not
affected anymore by this vulnerability.
2021-12-21 Web Author PDF Plugin:
Starting with version 24.0.1
the Apache Log4j library was updated to version 2.15. This version is not affected anymore
by this vulnerability.
Starting with version 23.1.1.2 the Apache Log4j library was
updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen Web Author Test Server Add-on:
Starting with
version 24.0.0.1 the Apache Log4j library was updated to version 2.15. This version is not
affected anymore by this vulnerability.
Starting with version 23.1.2 the Apache
Log4j library was updated to version 2.16. This version is not affected anymore by this
vulnerability.
Starting with version 22.1.1 the Apache Log4j library was updated to
version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 XSD to JSON Schema Converter:
Starting with version
24.0.1 the Apache Log4j library was updated to version 2.16. This version is not affected
anymore by this vulnerability.
Starting with version 23.1.1 the Apache Log4j library
was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Git Client:
Starting with version 3.0.1 the Apache
Log4j library was updated to version 2.16. This version is not affected anymore by this
vulnerability.
2021-12-21 Batch Documents Converter:
Starting with version
3.2.1 the Apache Log4j library was updated to version 2.16. This version is not affected
anymore by this vulnerability.
