Vulnerabilities 2021Permanent link for this heading

Apache Log4j Security Vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) Permanent link for this heading

First published: 13 December 2021

Last update: 22 December 2021

ID: FSC31322

Affected Components: Fabasoft Cloud, Fabasoft Folio

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, Basic Score: 10.0 (Critical)

Status: Final

CVEs: CVE-2021-44228

Informations for another Log4j issues CVE-2021-45046 and CVE-2021-45105 see at the end of this article.

Information Permanent link for this heading

A flaw was found in the Java logging library Apache Log4j in versions from 2.0.0 (including beta versions) up to and including 2.14.1. This allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.

In order to exploit this flaw you need:

  • A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data.
  • A log statement in the endpoint that logs the attacker controlled data.

A lot of software products and libraries use the Log4j library and therefore may be affected.

Fabasoft Products Permanent link for this heading

The following Fabasoft products may be affected by the vulnerability:

  • Fabasoft Business Process Cloud
  • Fabasoft Folio/eGov-Suite 2021 April Release (21.4.x)
  • Fabasoft Folio/eGov-Suite 2021 July Release (21.7.x)
  • Fabasoft Folio/eGov-Suite 2021 November Release (21.11.x)

Not affected:

  • Fabasoft Folio/eGov-Suite 2021 Release, Update Rollup 1 and Update Rollup 2
  • Fabasoft Folio/eGov-Suite 2022
  • All versions below Fabasoft Folio/eGov-Suite 2021
  • Fabasoft Mindbreeze Enterprise (all versions)
  • Fabasoft app.telemetry (all versions)

Fabasoft Folio Client and Fabasoft Cloud Client are not affected in any version of Fabasoft Folio / Fabasoft eGov-Suite.

Double-Check for usage Permanent link for this heading

You can check for the used library by doing a file search on your Fabasoft Folio and Mindbreeze servers:

Search for log4j* in:

Windows Folio: C:\Program Files\Fabasoft\

Windows Folio: C:\ProgramData\Fabasoft\INSTALLDIR

Windows Mindbreeze Enterprise: Search the full server for log4j*

Linux Folio: /var/opt/fabasoft/cache/INSTALLDIR

Linux Mindbreeze Enterprise: Search the full server for log4j*

Developing own solutions Permanent link for this heading

If your company is developing own solutions or apps for your Fabasoft Folio installation with Java, check your repository for any Log4j dependencies. Also check all other used Java libraries that they haven't packaged the impacted Log4j library.

Solution in the Fabasoft Business Process Cloud Permanent link for this heading

A hotfix was applied in the Fabasoft Business Process Cloud at 13. December 2021.

Mitigation measures were applied before. So far, there is no indication that the vulnerability has been exploited.

Although not affected, a version using log4j version 2.16.0 was applied in the Fabasoft Business Process Cloud at 19. December 2021.

Although not affected, a version using log4j version 2.17.0 was applied in the Fabasoft Business Process Cloud at 21. December 2021.

Hotfix information for Fabasoft Folio and Fabasoft eGov-Suite Permanent link for this heading

Currently, a hotfix is available for:

Fabasoft Folio 2021 November Release (build 21.11.0.150)

Fabasoft eGov-Suite 2021 November Release (build 21.11.0.150.007)

Please contact Fabasoft Enterprise Support to request a hotfix package for this version. The hotfixed products use at least log4j version 2.17.0.

Mitigation for Fabasoft Folio Permanent link for this heading

It is strongly recommended to install the provided hotfix for Fabasoft Folio 2021 November Release or Fabasoft eGov-Suite 2021 November Release.

With a Java option for Log4j, the LDAP lookup, that causes the vulnerability, may be disabled.

For affected Fabasoft Folio 2021 versions, please use this workaround to disable the vulnerability on all servers:

Windows Permanent link for this heading

  • Locate the file C:\ProgramData\Fabasoft
  • Open the file coomk.upd
  • If no entry HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS= is present, add
    HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS=-Dlog4j2.formatMsgNoLookups=true
  • If the entry HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS= already exists with other parameters, add
    HKEY_ENVIRONMENT\COOJAVA_JVMOPTIONS=<someotherparameter> -Dlog4j2.formatMsgNoLookups=true
    (using a blank so seperate the entries)

Restart all Kernel instances on that machine.

Linux Permanent link for this heading

Fabasoft Folio environment variables can be configured in two ways, see https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Envir... details.

Option 1 - Per server configuration

  • Navigate to /etc/fabasoft/settings/users/fscsrv/Software/Fabasoft/Environment
  • If not existing, create a directory COOJAVA_JVMOPTIONS or change to this directory.
  • Create or edit a file named registry.default
  • Add the following into the file
    -Dlog4j2.formatMsgNoLookups=true
  • Make sure that no line-break is on the end of the file.
  • Restart all Kernel instances on that machine.

Option 2 - Per service configuration

Also if using option 1, double-check that the server-wide setting is not overwritten by the per-service configuration.

  • Repeat these steps for each <instance>:
  • Navigate /var/opt/fabasoft/instances/ <instance> /env
  • Check or create for a file named COOJAVA_JVMOPTIONS

Add the following into the file
-Dlog4j2.formatMsgNoLookups=true

Make sure that no line-break is on the end of the file.

Restart all Kernel instances on that machine.

Log4j 2.15.0. Vulnerability CVE-2021-45046 and Log4j 2.16.0 Vulnerability CVE-2021-45105 Permanent link for this heading

Additional vulnerabilities have been reported by the Log4j project (CVE-2021-45046 and CVE-2021-45105) when the logging configuration uses a non-default pattern layout.

Fabasoft Folio does not use the specific pattern layout in its code, therefore no Fabasoft Folio version and the Fabasoft Business Process Cloud are or were affected.

Nevertheless Fabasoft will update the Log4j library to version 2.17.0 to close CVE-2021-45105 in the hotfixed versions for CVE-2021-44228, and for all future releases.

Fabasoft Mindbreeze Enterprise does not use any of the vulnerable features, therefore no Fabasoft Mindbreeze Enterprise version is affected .

Log4j 1.2 Vulnerability CVE-2021-4104 Permanent link for this heading

During investigations another vulnerability for Log4j Version 1.2 was identified, that is listed under CVE-2021-4104 with CVSS v3 Base Score 8.1 (High).

No Fabasoft Folio version is affected by CVE-2021-4104.

Reflected Cross Site Scripting at First Request (FSC29337) Permanent link for this heading

First published: 28 August 2021

Last update: 16 September 2021

ID: FSC29337

Affected Components: Fabasoft Folio Webservices, Fabasoft Cloud Webservices

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, Basic Score: 7.3

Status: Final

CVEs: -

Summary Permanent link for this heading

By passing a malicious content in a parameter to the first request in the Fabasoft Folio web client, an error will be returned that reflects this content. The content type of the response is not interpreted correctly and the malicious content is injected on the web browser client.

Impact Permanent link for this heading

An attacker may send a link to a user containing the malicious content. If the user opens the link in the web browser, code may be executed in the current users’ context.

Remediation Permanent link for this heading

The parameter values are not part of the error message anymore.

Fabasoft Cloud Permanent link for this heading

A hotfix was applied in the Fabasoft Cloud at 16. August 2021.

Fabasoft Folio / Fabasoft eGov-Suite Permanent link for this heading

A hotfix is provided for all supported Fabasoft Folio / Fabasoft eGov-Suite versions. It is recommended to install this hotfix.

Hotfix Information (Fabasoft Folio) Permanent link for this heading

Fixed with following versions of Fabasoft Folio:

  • Fabasoft Folio Version 2021 Update Rollup 2 (21.1.2)

A hotfix is provided for the following Fabasoft Folio versions:

  • Fabasoft Folio Version 2021 July Release (21.7.0)
  • Fabasoft Folio Version 2021 Update Rollup 1 (21.1.1)
  • Fabasoft Folio Version 2020 Update Rollup 5 (20.1.5)
  • Fabasoft Folio Version 2020 Update Rollup 4 (20.1.4)
  • Fabasoft Folio Version 2019 Update Rollup 3 (19.2.3)
  • Fabasoft Folio Version 2017 R1 Update Rollup 7 (17.4.7)
  • Fabasoft Folio Version 2017 R1 Update Rollup 6 (17.4.6)
  • and all major releases and Update Rollups above the mentioned versions.

Hotfix Information (Fabasoft eGov-Suite) Permanent link for this heading

Fixed with following versions of Fabasoft eGov-Suite:

  • Fabasoft eGov-Suite 2021 Update Rollup 2 (21.1.2)

A hotfix is provided for the following Fabasoft eGov-Suite versions:

  • Fabasoft eGov-Suite 2021 July Release (21.7.0)
  • Fabasoft eGov-Suite 2021 Update Rollup 1 (21.1.1)
  • Fabasoft eGov-Suite 2020 Update Rollup 5 (20.1.5)
  • Fabasoft eGov-Suite 2020 Update Rollup 4 (20.1.4)
  • Fabasoft eGov-Suite 2019 Update Rollup 3 (19.2.3)