Knowledgebase
1586PaperCut
Knowledgebase:
Log4Shell (CVE-2021-44228) - How is PaperCut Affected?
Last modified on 21 May 2022 03:51 AM

Latest update (March 24th, 2022)

  • PaperCut MF/NG version 21.2.8 maintenance release is now publicly available. This maintenance release includes all fixes from previous releases, including log4j 2.17.1 - and in addition removes any dependencies on log4j 1.x. Please note that after upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed - e.g. C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app
  • Payment Gateway module version 219 - updated (Jan 27th) version of the Payment Gateway module to install only required if you are currently using version 207, 210, 213 or 214 of the Payment Gateway (see the ‘Do I need to upgrade the Payment Gateway module?’ question in the FAQs).

PaperCut is aware of the RCE vulnerability in the Apache Log4j library also known as Log4Shell or CVE-2021-44228. This issue has been classified by the Apache Logging security team as a critical severity issue.

This issue can lead to remote code execution or information disclosure on the system running software containing the log4j component where a malicious actor can control any string that is logged. At this point in time our initial triage shows that only PaperCut MF and PaperCut NG have dependencies on the Apache Log4j component.

This Knowledge Base article outlines the impact of this vulnerability on PaperCut products. This is a rapidly evolving situation, we recommend that you revisit this page often for the most current information.

Product Status

Which PaperCut products are impacted?

Product Status Action
PaperCut MF (version 21.0.0 up to and including version 21.2.1) Impacted See recommendations
PaperCut NG (version 21.0.0 up to and including version 21.2.1) Impacted See recommendations
PaperCut MF (version 20.1.5 or earlier) Not impacted none
PaperCut NG (version 20.1.5 or earlier) Not impacted none
PaperCut Hive Not impacted none
PaperCut Pocket Not impacted none
PaperCut Views Not impacted none
PaperCut Print Logger Not impacted none
PaperCut Mobility Print Not impacted none
PaperCut Multiverse Not impacted none
PaperCut Online Services (Scan to Cloud, OCR) Not impacted none

PaperCut NG/MF Components:

Component Status Action
Site Server (version 21.0.0 up to and including version 21.2.1) Impacted Apply the same Application Server fix to the Site Server.
Site Server (version 20.1.4 or earlier) Not impacted none
Job Ticketing (all versions) Not impacted none
Payment gateways (version 207 or later) Not impacted, but upgrade recommended for versions 207, 210, 213, 214 See the FAQ section for the ‘Do I need to upgrade the Payment Gateway module’ question.
Payment gateways (version 206 or earlier) Not impacted none
Web Print sandbox (all versions) Not impacted none
Release stations (version 21.0.0 up to and including version 21.2.1) Impacted See recommendations
Release stations (version 20.1.4 or earlier) Not impacted none
User clients (all versions) Not impacted See FAQ for more info

Recommendations

Application Server and Site Server Fix

If you are running PaperCut NG or MF version 21.0.0 or later, we highly recommend applying the latest maintenance release (21.2.5).

There have been attacks developed which can circumvent the config change in Option 1, so to close these additional attack vectors we recommend Option 2 - which is that anyone using PaperCut NG/MF 21.x should upgrade to the latest available maintenance release (21.2.5) - through whichever method you normally use to perform upgrades.

We do believe that applying Option 1 (Mitigate via Configuration Change) is the most immediate (but temporary) solution. This fix protects against some cases of exploitation being discussed online. This solution involves a simple configuration change that will effectively mitigate the vulnerability in the affected software, rather than apply a full update to an existing PaperCut NG/MF installation. This change only involves a restart of the application server and minimal impact on the operation of your print solution.

As soon as you are able to - we recommend upgrading to 21.2.5.

Option 1 - Mitigate via Configuration Change

Only use this option if you’re unable to immediately upgrade to 21.2.5.

Windows:

  1. Stop the PaperCut application server (or Site Server).
  2. Navigate to the /server/bin/win folder.
  3. Open the service.conf file in that folder for editing (you will need to open it as Administrator).
  4. Find the line that looks like this: wrapper.java.additional.21=-Dpc-reserved=X
  5. Replace it with this: wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true
  6. Save the file.
  7. Start the PaperCut application server (or Site Server).

macOS:

  1. Stop the PaperCut application server (or Site Server).
  2. Navigate to the /server/custom folder.
  3. Open the launch-app-server.conf file for editing.
  4. Add the following line to the end of the file:
    PC_CUSTOM_SERVER_ARG=-Dlog4j2.formatMsgNoLookups=true
  5. Save the file.
  6. Start the PaperCut application server (or Site Server).

Linux:

  1. Stop the PaperCut application server.
  2. Navigate to the /server/bin/linux-x64 folder (or the linux-i686 or linux-common folder, depending on distro).
  3. Open the app-monitor.conf file in that folder for editing.
  4. Find the line that looks like this: wrapper.java.additional.21=-Dpc-reserved=X
  5. Replace it with this: wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true
  6. Save the file.
  7. Start the PaperCut application server.

Option 2 - Upgrade to PaperCut NG/MF version 21.2.5

  1. Upgrade to version 21.2.5 through your usual upgrade procedures, as soon as possible.

Release Station Fix

Option 1 - Mitigate via Configuration Change

Only use this option if you’re unable to immediately upgrade to 21.2.5.

Windows

  1. For each deployed release station, navigate to the folder containing the release station.
  2. Open pc-release.lap
  3. Add a new line at the end of the file: -Dlog4j2.formatMsgNoLookups=true
  4. Save the file.
  5. Repeat the steps above for each of these files: pc-pay-station.lap; pc-release-manager.lap; pc-release-secure.lap
  6. Restart the release station

macOS

  1. For each deployed release station, navigate to the folder containing the release station.
  2. Open the pc-release-mac.command file.
  3. Find the section at the bottom of the file commented with # Run the program
  4. After the line -Djava.locale.providers=COMPAT,SPI \, insert a new line with:
    -Dlog4j2.formatMsgNoLookups=true \
  5. Save the file.
  6. Restart the release station.

Linux

  1. For each deployed release station, navigate to the folder containing the release station.
  2. Open the pc-release-linux.sh file.
  3. Find the section at the bottom of the file commented with # Run the program
  4. After the line -Djava.locale.providers=COMPAT,SPI \, insert a new line with:
    -Dlog4j2.formatMsgNoLookups=true \
  5. Save the file.
  6. Repeat the steps above for the pc-release-cmd-line.sh file.
  7. Restart the release station.

Option 2 - Upgrade to PaperCut NG/MF version 21.2.5

  1. Apply the configuration change listed in Option 1 (Release Station fix) above to mitigate the most serious vulnerability.
  2. Schedule an upgrade to version 21.2.4 through your usual upgrade procedures.

Once you have upgraded to a PaperCut server version containing the patched libraries, delete and redeploy all release stations using the release station package from the server.

FAQs

Is there any impact from applying this fix?

No - there is no impact to PaperCut products. All products will continue to work with zero impact.

I have applied the 21.2.5 maintenance release, but I don’t see the config changes applied. Am I protected?

Yes - in the above recommendations, you can apply an immediate config change (Option 1) which involves updating config files with the formatMsgNoLookups string. The preferred method, which is to install 21.2.5, actually includes log4j version 2.17.1 which includes the fix internally, so you will not see the Option 1 config changes after applying the maintenance release. This is expected behavior.

I am running the PaperCut User client and see that it’s using log4j 2.x - why does the table above say that the User Client is not impacted?

Good catch! Due to the way our build system works, the User Client actually ships with log4j 1.x and log4j 2.x libraries. The User Client in practice only uses the log4j 1.x libs, so is not impacted by the vulnerability. We do not use the log4j 2.x libs in the User Client - which means it is not vulnerable to attack.

In order to completely remove the log4j 1.x libraries, you’ll need to update to PaperCut NG/MF version 21.2.8.

Do I need to upgrade the Payment Gateway module?

  1. Check the Payment Gateway version that you have installed - head into your Application Server file system: [MF/NG installation directory]/server/lib-ext and open the file ext-payment-gateway-version.txt.
  2. Check the line with version-build=
  • IF you are using a gateway with a build number 207 or later (but earlier than 219) then you are not at risk from the vulnerability, however versions of log4j 2.x are included (but not used) in this build, since November 2021. To be completely safe (and to avoid vulnerability scanners flagging this impact) we recommend upgrading to the latest version of the Payment Gateway (219), as detailed through Step 2 of the Setting up the Payment Gateway module article. Version 219 removes the unnecessary log4j files from the gateway installation.
  • IF you are using a gateway with a build number lower than 207, then you are not at risk from the vulnerability, and log4j 2.x libraries are not included in the gateway module.

Note: Version 213 of the Payment Gateway module includes log4j version 2.16. Version 214 of the Payment Gateway module includes log4j version 2.17. Version 219 removes the Payment Gateway installation log4j jar files entirely, and relies on the log4j version installed with the MF/NG Application Server.

Note: This is completely independent from the Application Server version - so even if you are running version 21.2.5 (patched) of the App Server, if you are running a Payment Gateway module version between 207 and 214, we recommend applying the Payment Gateway upgrade too. Alternatively if you are using an earlier non-impacted version of the App Server (e.g. version 20.x or earlier) and you are using a Payment Gateway module version between 207 and 214, we also recommend applying the Payment Gateway upgrade but you do not need to upgrade the Application Server.

I see that some PaperCut products use Apache Log4j 1.x, isn’t that also vulnerable to CVE-2021-4104?

No. PaperCut products are not vulnerable to this issue. Version 1.x of Apache Log4j did not include the JNDI lookup functionality that is at the root of Log4Shell. CVE-2021–4104 has been raised to differentiate these issues. The write up by Synk indicates that there is a possibility of a similar style of compromise if the JMSAppender library is present and an attacker can manipulate the TopicBindingName or TopicConnectionFactoryBindingName. PaperCut software does not use JMSAppender or reference the TopicBindingName or TopicConnectionFactoryBindingName. This means there is no known vector to manipulate this vulnerability in PaperCut software. The only other scenario would be if an attacker would have write access to configuration files in order to update the Log4j configuration and this would require an attacker to already be able to access the system.

NotePaperCut NG/MF version 21.2.8 now completely removes any log4j 1.x dependencies. Please install this latest version if you are concerned about vulnerability scanners flagging the log4j 1.x libraries. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed. e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app

Why does my vulnerability scanner show Log4j as being vulnerable on a version listed as ‘not impacted’ in the table above?

Some vulnerability scanners are showing any version of Log4j before 2.15 as vulnerable. This finding is not supported by any in-depth analysis and may be due to how the data is read from the NVD database. For why version 1.x of Apache Log4j is not vulnerable see the previous FAQ question.

Note: PaperCut NG/MF version 21.2.8 now completely removes any log4j 1.x dependencies. Please install this latest version if you are concerned about vulnerability scanners flagging the log4j 1.x libraries. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed. e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app

In addition, you can manually remove these if needed:

However, if you are wanting to remove any 1.x log4j files (even if they are not vulnerable) because they are getting picked up by security scanners, you can potentially remove them based on the below. Note that the paths are examples and your installation path may differ.

If you are not using the Ricoh remote operation tools, or Sharp configuration tools (or if you don’t have Ricoh or Sharp devices at all), you can safely remove these files:

C:\Program Files\PaperCut MF\providers\hardware\ricoh\sdkj\403046912\log4j-1.2.13.jar
C:\Program Files\PaperCut MF\providers\hardware\ricoh\remote-operation-client\lib\log4j-1.2.17.jar
C:\Program Files\PaperCut MF\server\deployment\sharp\lib\sharp-configuration-tool-all.jar
C:\Program Files\PaperCut MF\providers\hardware\ricoh\sdkj\deprecated\403046656\log4j-1.2.13.jar


If you are not using the macOS User Client Software, you can remove these files:

C:\Program Files\PaperCut MF\client\mac\PCClient.app\Contents\Java\log4j-1.2.17.jar
C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app\Contents\Resources\Java\log4j-1.2.13.jar


If you are not using the Linux User Client Software, you can remove this file:

C:\Program Files\PaperCut MF\client\linux\lib\log4j-1.2.17.jar


If you are not using the Windows User Client Software, you can remove this file:

C:\Program Files\PaperCut MF\client\win\lib\log4j-1.2.17.jar


Please note that the 21.2.8 release of PaperCut MF/NG now removes these dependencies on log4j 1.x.

Why does my vulnerability scanner show my Payment Gateway install as vulnerable (in the lib-ext folder)?

If you have upgraded the Payment Gateway (see questions above) you may have multiple versions of log4j*.jar files in the [MF or NG install]/server/lib-ext/ directory. If this is the case, you can safely remove the older versions which are no longer needed.

Note that you may need to stop the PaperCut Application Server service to successfully remove the older files.

You can safely delete instances of the log4j .jar files. Alternatively if you install version 219 of the Payment Gateway module on Windows (see the Payment Gateway question above), it will automatically remove the unnecessary jar files. If you’re wanting to remove these manually, these can be safely removed:

  • log4j-api-2.16.0.jar
  • log4j-core-2.16.0.jar
  • log4j-slf4j-impl-2.16.0.jar
  • log4j-api-2.13.3.jar
  • log4j-core-2.13.3.jar
  • log4j-slf4j-impl-2.13.3.jar
  • log4j-api-2.17.0.jar
  • log4j-core-2.17.0.jar
  • log4j-slf4j-impl-2.17.0.jar

I have the latest version of Java - doesn’t that protect me against Log4Shell?

No. There have been examples of executing this under any version of java. The only way to prevent this issue in PaperCut Products is to apply the recommendations outlined in this knowledge base article.

Is PaperCut affected by the Log4j 1.2 SocketServer vulnerability (CVE-2019–17571)?

A vulnerability was discovered (originally in 2019) in the SocketServer functionality of Log4j. This has been documented officially on the NIST site here: CVE-2019-17571.

This vulnerability requires the Apache Log4j component to be configured to listen for logging events on a socket. PaperCut Products do not use this feature of Log4j and as such the vulnerability CVE-2019–17571 does not affect PaperCut Products.

Is PaperCut affected by CVE-2021–45046?

Yes. We became aware of this issue on the morning of the 15th of December AEST (see here for info: CVE-2021-45046). This new issue is currently only rated moderate severity( CVSS: 3.7 ) and would result in a Denial of Service to the PaperCut MF/NF Application or Site Servers in certain circumstances. Due to the severity of Log4Shell (CVE-2021–44228) we strongly recommend that you do not wait to apply the mitigation for Log4Shell.

Please note: We have addressed this vulnerability in the latest maintenance release - PaperCut MF/NG version 21.2.3 (which uses log4j 2.16).

Is PaperCut affected by CVE-2021–45105?

Yes. This vulnerability has been raised online - see details on CVE-2021-45105. This vulnerability is present in log4j 2.16 (used by PaperCut MF/NG version 21.2.3).

Please note: We have addressed this vulnerability in the latest maintenance release - PaperCut MF/NG version 21.2.4 (which uses log4j 2.17).

What is the difference between MF/NG version 21.2.3 and 21.2.4?

Version Contents Log4j version
PaperCut MF/NG version 21.2.3 Resolves CVE-2021–44228 and CVE-2021–45046 log4j 2.16
PaperCut MF/NG version 21.2.4 Resolves CVE-2021–45105 (and the previous two vulnerabilities) log4j 2.17
PaperCut MF/NG version 21.2.5 Resolves CVE-2021–44832 (and the previous three vulnerabilities) log4j 2.17.1
PaperCut MF/NG version 21.2.6 Unintentionally includes log4j 2.17.0. We are looking to replace this with a 21.2.7 build asap which will include log4j 2.17.1. See the known issue about this. log4j 2.17.0
PaperCut MF/NG version 21.2.7 Includes all the fixes in 21.2.6 and corrects the log4j version in use log4j 2.17.1
PaperCut MF/NG version 21.2.8 Includes all the fixes in 21.2.7 and removes all dependencies on log4j 1.x libraries log4j 2.17.1
PaperCut MF/NG version 21.2.9 and .10 Includes all the fixes in 21.2.8 and resolves the Spring4Shell vulnerability log4j 2.17.1

Are any PaperCut products affected by CVE-2021–44832?

Security researchers have flagged that log4j version 2.17 and earlier can have a remote exploitation vulnerability enabled *if* an attacker is able to edit the log4j config files.

The relevant configuration is not present in any PaperCut products, and an attacker would therefore need file write access (i.e. Administrator level access) to a site’s PaperCut server in order to make the necessary changes and restart the server. As an attacker in this position must already have high level access to the customer environment in order to enable the vulnerability, we consider this a very low risk for PaperCut customers.

Please note: We have addressed this vulnerability in the latest maintenance release - PaperCut MF/NG version 21.2.5 (which uses log4j 2.17.1).

Why has the Ricoh SDK/J installer been removed from the PaperCut MF installation?

As per the release note with 21.2.6, we have now removed Ricoh SDK/J v2 (which has been deprecated) from the MF installs on Windows, Linux and macOS [PO-727]. This deprecated (Ricoh deprecated SDK/J a while ago) version was getting flagged by vulnerability scanners, so the client package has now been removed from the server installation. For customers still running SDK/J machines needing the SDK/J package, this can be downloaded here.

How is papercut affected by the following security issues that affect log4j 1.x?

The PaperCut MF client does use Log4j 1.x (prior to 21.2.8). Please note that log4j 1.x libraries have now been completely removed with the 21.2.8 maintenance release of PaperCut MF/NG. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed, e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app.

There are some vulnerabilities that affect Log4j 1.x, explanations on how PaperCut MF is affected by these are in the table below.

CVE Response
CVE-2022–23307 This is related to a component called chainsaw. Chainsaw is program for viewing logs in a graphical user interface. PaperCut MF does not use chainsaw.
CVE-2022–23302 This issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. PaperCut MF does not configure Log4j to use JMSSink and is not affected by this issue.
CVE-2022–23305 This issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. PaperCut MF does not configure Log4j to use JDBCAppender and is not affected by this issue.

References

Updates

Date Update/Action
10th December 2021 15:27 AEDT Issue reported internally to the security and product team. Initial triage commenced with the intent of providing a known issue posting with mitigation advice.
10th December 2021 16:47 AEDT Published Known Issue bulletin for PaperCut NG/MF.
11th-12th December 2021 Monitored unfolding updates regarding the issue.
13th December 2021 19:14 AEDT Published this KB article for all products. Produced HotFix for PaperCut NG/MF for customers unable to perform the workaround.
14th December 2021 Updated information around Release Station and User client status and mitigations.
14th December 2021 Added FAQ section with extra information.
15th December 2021 Added link to security subscription form.
15th December 2021 12:00 AEDT Updated info about CVE-2021–45046
15th December 2021 12:25 AEDT Updated info about available fixes
15th December 2021 16:01 AEDT Updated FAQ entry on Log4j 1.x CVE-2021–4104
15th December 2021 16:40 AEDT Updated with the PaperCut MF/NG 21.2.3 maintenance release information (uses log4j 2.16).
17th December 2021 13:30 AEDT Updated with the latest Payment Gateway build information
18th December 2021 18:50 AEDT Updated to include info about CVE-2021–45105
20th December 2021 14:00 AEDT Updated with latest Payment Gateway module release (version 214) which contains log4j 2.17.
21st December 2021 11:30 AEDT Updated with the paperCut MF/NG 21.2.4 maintenance release information (uses log4j 2.17).
22nd December 2021 12:00 AEDT Included FAQ about cleaning up older log4j versions from the Payment Gateway installation folder.
22nd December 2021 18:50 AEDT Reviewed use of Logback in PaperCut products. Determined that at this point no action is required.
30th December 2021 07:30 AEDT Reviewed potential impact of CVE-2021–44832. Determined that at this point no action is required.
12th January 2022 11:00 AEDT Added note confirming we hope to have MF/NG builds available by the end of March 2022 which will remove log4j 1.x dependencies.
27th January 2022 11:00 AEDT Updated with the PaperCut MF/NG 21.2.5 maintenance release information (uses log4j 2.17.1).
27th January 2022 18:00 AEDT Updated with the latest Payment Gateway version 219 information (removes log4j).
31st January 2022 10:00 AEDT Updated with information on Log4j 1.x vulnerabilities.
2nd Feb 2022 12:00 AEDT Updated to include info on manually removing log4j 1.x files if required / if possible.
7th Feb 2022 16:00 AEDT Updated with a note about the Raspberry Pi release station image - which has now been updated to log4j 2.17.1.
24th Feb 2022 15:00 AEDT Updated with a note about 21.2.6 unintentionally including log4j 2.17.0, and a reference to the known issue.
28th Feb 2022 11:00 AEDT Updated with the PaperCut MF/NG 21.2.7 maintenance release (includes log4j 2.17.1) and closed out the known issue.
28th Feb 2022 11:00 AEDT Updated to include a note about the removal of the Ricoh SDK/J install package from the build since 21.2.6.
24th March 2022 16:00 AEDT Updated with the PaperCut MF/NG 21.2.8 maintenance release, which removes all log4j 1.x dependencies.
20 May 2022 14:00 AEDT Added information about the 21.2.10 build related to the Spring4Shell vulnerability.