Log4Shell (CVE-2021-44228) - How is PaperCut Affected?
Last modified on 21 May 2022 03:51 AM
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Latest update (March 24th, 2022)
PaperCut is aware of the RCE vulnerability in the Apache Log4j library also known as Log4Shell or CVE-2021-44228. This issue has been classified by the Apache Logging security team as a critical severity issue. This issue can lead to remote code execution or information disclosure on the system running software containing the log4j component where a malicious actor can control any string that is logged. At this point in time our initial triage shows that only PaperCut MF and PaperCut NG have dependencies on the Apache Log4j component. This Knowledge Base article outlines the impact of this vulnerability on PaperCut products. This is a rapidly evolving situation, we recommend that you revisit this page often for the most current information. Product StatusWhich PaperCut products are impacted?
PaperCut NG/MF Components:
RecommendationsApplication Server and Site Server FixIf you are running PaperCut NG or MF version 21.0.0 or later, we highly recommend applying the latest maintenance release (21.2.5). There have been attacks developed which can circumvent the config change in Option 1, so to close these additional attack vectors we recommend Option 2 - which is that anyone using PaperCut NG/MF 21.x should upgrade to the latest available maintenance release (21.2.5) - through whichever method you normally use to perform upgrades. We do believe that applying Option 1 (Mitigate via Configuration Change) is the most immediate (but temporary) solution. This fix protects against some cases of exploitation being discussed online. This solution involves a simple configuration change that will effectively mitigate the vulnerability in the affected software, rather than apply a full update to an existing PaperCut NG/MF installation. This change only involves a restart of the application server and minimal impact on the operation of your print solution. As soon as you are able to - we recommend upgrading to 21.2.5. Option 1 - Mitigate via Configuration ChangeOnly use this option if you’re unable to immediately upgrade to 21.2.5. Windows:
macOS:
Linux:
Option 2 - Upgrade to PaperCut NG/MF version 21.2.5
Release Station FixOption 1 - Mitigate via Configuration ChangeOnly use this option if you’re unable to immediately upgrade to 21.2.5. Windows
macOS
Linux
Option 2 - Upgrade to PaperCut NG/MF version 21.2.5
Once you have upgraded to a PaperCut server version containing the patched libraries, delete and redeploy all release stations using the release station package from the server. FAQsIs there any impact from applying this fix? No - there is no impact to PaperCut products. All products will continue to work with zero impact. I have applied the 21.2.5 maintenance release, but I don’t see the config changes applied. Am I protected? Yes - in the above recommendations, you can apply an immediate config change (Option 1) which involves updating config files with the I am running the PaperCut User client and see that it’s using log4j 2.x - why does the table above say that the User Client is not impacted? Good catch! Due to the way our build system works, the User Client actually ships with log4j 1.x and log4j 2.x libraries. The User Client in practice only uses the log4j 1.x libs, so is not impacted by the vulnerability. We do not use the log4j 2.x libs in the User Client - which means it is not vulnerable to attack. In order to completely remove the log4j 1.x libraries, you’ll need to update to PaperCut NG/MF version 21.2.8. Do I need to upgrade the Payment Gateway module?
Note: Version 213 of the Payment Gateway module includes log4j version 2.16. Version 214 of the Payment Gateway module includes log4j version 2.17. Version 219 removes the Payment Gateway installation log4j jar files entirely, and relies on the log4j version installed with the MF/NG Application Server. Note: This is completely independent from the Application Server version - so even if you are running version 21.2.5 (patched) of the App Server, if you are running a Payment Gateway module version between 207 and 214, we recommend applying the Payment Gateway upgrade too. Alternatively if you are using an earlier non-impacted version of the App Server (e.g. version 20.x or earlier) and you are using a Payment Gateway module version between 207 and 214, we also recommend applying the Payment Gateway upgrade but you do not need to upgrade the Application Server. I see that some PaperCut products use Apache Log4j 1.x, isn’t that also vulnerable to CVE-2021-4104? No. PaperCut products are not vulnerable to this issue. Version 1.x of Apache Log4j did not include the JNDI lookup functionality that is at the root of Log4Shell. CVE-2021–4104 has been raised to differentiate these issues. The write up by Synk indicates that there is a possibility of a similar style of compromise if the Note: PaperCut NG/MF version 21.2.8 now completely removes any log4j 1.x dependencies. Please install this latest version if you are concerned about vulnerability scanners flagging the log4j 1.x libraries. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed. e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app Why does my vulnerability scanner show Log4j as being vulnerable on a version listed as ‘not impacted’ in the table above? Some vulnerability scanners are showing any version of Log4j before 2.15 as vulnerable. This finding is not supported by any in-depth analysis and may be due to how the data is read from the NVD database. For why version 1.x of Apache Log4j is not vulnerable see the previous FAQ question. Note: PaperCut NG/MF version 21.2.8 now completely removes any log4j 1.x dependencies. Please install this latest version if you are concerned about vulnerability scanners flagging the log4j 1.x libraries. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed. e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app In addition, you can manually remove these if needed: However, if you are wanting to remove any 1.x log4j files (even if they are not vulnerable) because they are getting picked up by security scanners, you can potentially remove them based on the below. Note that the paths are examples and your installation path may differ. If you are not using the Ricoh remote operation tools, or Sharp configuration tools (or if you don’t have Ricoh or Sharp devices at all), you can safely remove these files: C:\Program Files\PaperCut MF\providers\hardware\ricoh\sdkj\403046912\log4j-1.2.13.jar
C:\Program Files\PaperCut MF\providers\hardware\ricoh\remote-operation-client\lib\log4j-1.2.17.jar
C:\Program Files\PaperCut MF\server\deployment\sharp\lib\sharp-configuration-tool-all.jar
C:\Program Files\PaperCut MF\providers\hardware\ricoh\sdkj\deprecated\403046656\log4j-1.2.13.jar
C:\Program Files\PaperCut MF\client\mac\PCClient.app\Contents\Java\log4j-1.2.17.jar
C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app\Contents\Resources\Java\log4j-1.2.13.jar
C:\Program Files\PaperCut MF\client\linux\lib\log4j-1.2.17.jar
C:\Program Files\PaperCut MF\client\win\lib\log4j-1.2.17.jar
Why does my vulnerability scanner show my Payment Gateway install as vulnerable (in the lib-ext folder)? If you have upgraded the Payment Gateway (see questions above) you may have multiple versions of log4j*.jar files in the Note that you may need to stop the PaperCut Application Server service to successfully remove the older files. You can safely delete instances of the log4j .jar files. Alternatively if you install version 219 of the Payment Gateway module on Windows (see the Payment Gateway question above), it will automatically remove the unnecessary jar files. If you’re wanting to remove these manually, these can be safely removed:
I have the latest version of Java - doesn’t that protect me against Log4Shell? No. There have been examples of executing this under any version of java. The only way to prevent this issue in PaperCut Products is to apply the recommendations outlined in this knowledge base article. Is PaperCut affected by the Log4j 1.2 SocketServer vulnerability (CVE-2019–17571)? A vulnerability was discovered (originally in 2019) in the SocketServer functionality of Log4j. This has been documented officially on the NIST site here: CVE-2019-17571. This vulnerability requires the Apache Log4j component to be configured to listen for logging events on a socket. PaperCut Products do not use this feature of Log4j and as such the vulnerability CVE-2019–17571 does not affect PaperCut Products. Is PaperCut affected by CVE-2021–45046? Yes. We became aware of this issue on the morning of the 15th of December AEST (see here for info: CVE-2021-45046). This new issue is currently only rated moderate severity( CVSS: 3.7 ) and would result in a Denial of Service to the PaperCut MF/NF Application or Site Servers in certain circumstances. Due to the severity of Log4Shell (CVE-2021–44228) we strongly recommend that you do not wait to apply the mitigation for Log4Shell. Please note: We have addressed this vulnerability in the latest maintenance release - PaperCut MF/NG version 21.2.3 (which uses log4j 2.16). Is PaperCut affected by CVE-2021–45105? Yes. This vulnerability has been raised online - see details on CVE-2021-45105. This vulnerability is present in log4j 2.16 (used by PaperCut MF/NG version 21.2.3). Please note: We have addressed this vulnerability in the latest maintenance release - PaperCut MF/NG version 21.2.4 (which uses log4j 2.17). What is the difference between MF/NG version 21.2.3 and 21.2.4?
Are any PaperCut products affected by CVE-2021–44832? Security researchers have flagged that log4j version 2.17 and earlier can have a remote exploitation vulnerability enabled *if* an attacker is able to edit the log4j config files. The relevant configuration is not present in any PaperCut products, and an attacker would therefore need file write access (i.e. Administrator level access) to a site’s PaperCut server in order to make the necessary changes and restart the server. As an attacker in this position must already have high level access to the customer environment in order to enable the vulnerability, we consider this a very low risk for PaperCut customers. Please note: We have addressed this vulnerability in the latest maintenance release - PaperCut MF/NG version 21.2.5 (which uses log4j 2.17.1). Why has the Ricoh SDK/J installer been removed from the PaperCut MF installation? As per the release note with 21.2.6, we have now removed Ricoh SDK/J v2 (which has been deprecated) from the MF installs on Windows, Linux and macOS [PO-727]. This deprecated (Ricoh deprecated SDK/J a while ago) version was getting flagged by vulnerability scanners, so the client package has now been removed from the server installation. For customers still running SDK/J machines needing the SDK/J package, this can be downloaded here. How is papercut affected by the following security issues that affect log4j 1.x? The PaperCut MF client does use Log4j 1.x (prior to 21.2.8). Please note that log4j 1.x libraries have now been completely removed with the 21.2.8 maintenance release of PaperCut MF/NG. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed, e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app. There are some vulnerabilities that affect Log4j 1.x, explanations on how PaperCut MF is affected by these are in the table below.
References
Updates
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|