KB-2204 Information about the Log4j2 security vulnerability (CVE-2021-44228)

Following the December 10, 2021 announcement of the critical Log4j2 security vulnerability (CVE-2021-44228), Appian determined that impacted versions of Log4j2 were being used in the Appian platform. Appian has taken the following actions in response:

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j 2.x instances to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgraded all log4j2 2.x instances to 2.17.1.
On March 11, 2022, Appian released an additional hotfix that replaces the use of log4j 1.2.17 versions across all components except for Service Manager. There is no patch available for these components at this time, but Appian expects to update these components by early Q2. In the meantime, Appian has confirmed that our usage of Log4j 1.2.17 is not vulnerable to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307.
On March 25, 2022, Appian released an additional hotfix on all supported versions except for 22.1 that replaces the use of log4j 1.2.17 versions within Kafka and Zookeeper.
On April 8, 2022, Appian released an additional hotfix for 22.1 that replaces the use of log4j 1.2.17 versions within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform

Appian customers’ support contacts have been notified of the availability of these hotfixes.

Additional Notes:

CVE-2021-4104 is a new, but related vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1
3/11/2022 - Hotfix from Appian released, updating log4j 1.2.17 across all components except Kafka and Zookeeper (refer to #7 above for additional details)
3/25/2022 - Hotfix from Appian released for all supported versions except for 22.1, updating log4j 1.2.17 within Kafka and Zookeeper.
4/8/2022 - Hotfix from Appian for 22.1 is released, updating log4j 1.2.17 within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform.

Affected Versions

This article applies to all supported versions of Appian.

Last Reviewed: April 14, 2022