You are currently reviewing an older revision of this page.
Through investigation, Appian has determined that we are using potentially impacted versions of Log4j2 within our product (CVE-2021-44228), including 3 of our Appian supported utilities. Currently, Appian is not aware of any breach or indicators of compromise related to this vulnerability in our security monitoring, whether internal or external.
We have confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions that Appian uses in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE (Common Vulnerabilities and Exposures). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability. Our teams have been treating this issue as one of highest priority.
“com.sun.jndi.ldap.object.trustURLCodebase”
“false”
Hotfix releases have been created for 19.4 releases and forward, and were made available to customers on Saturday, December 11. In these hotfixes, vulnerable versions of Log4j2 have been upgraded to version 2.15.0. Customers’ designated support contacts have been notified by email of the hotfix availability.
Appian Cloud customers are being notified by our Support team of mandatory scheduling of maintenance windows for deploying the hotfix to their sites, following Appian’s Critical Maintenance procedures. For self-managed customers, Appian has made the hotfix installers available for download.
Appian has also published new versions of the following affected plugins that are supported by Appian:
For Community maintained plugins, Appian has contacted plugin authors and encouraged them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
Additional Notes:
For third-party components running version 2.11.1, i.e., components which still need to have the patch applied but whose codebase is not within Appian’s control, Appian has taken steps to mitigate the vulnerability, for instance by applying the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. Appian has identified one third-party component that is still on 2.11.1. Given that Appian has applied the NIST-recommended mitigation approach mentioned above, Appian expects to upgrade this component and make this available to customers through standard maintenance procedures once the patch becomes available.
"log4j2.formatMsgNoLookups"
“true”
CVE-2021-45046 is a new, but related, vulnerability against Log4j2, originally announced on December 14, 2021 with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s current configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any locations. In absence of using that format, the Appian platform is not vulnerable to the vulnerabilities as described within CVE-2021-45046. While the Appian platform is not affected by this vulnerability, Appian is in the process of updating to version 2.17 and will make this update available to customers through standard maintenance procedures once available.
CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
Timeline:
Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.
This article applies to all versions of Appian.
Last Reviewed: December 21 2021