You are currently reviewing an older revision of this page.

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Following the December 10, 2021 announcement of the critical Log4j2 security vulnerability (CVE-2021-44228), Appian determined that impacted versions of Log4j2 were being used in the Appian platform.  Appian has taken the following actions in response:

  1. Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external. 
  2. Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability. 
  3. On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation.  Appian notified customers’ designated support contacts of the hotfix availability.  This hotfix has been deployed to all Appian Cloud environments.
  4. On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:  

    Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)

  5. On December 22, 2021, Appian released an additional hotfix that provides the following updates:
    • Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party.  In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed.  The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0. 
    • On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical).  Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

  • CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021.  Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
  • CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, Appian still plans to update all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

  • 12/10/2021 - CVE-2021-44228. Vuln (CVSS 10)  released 
  • 12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
  • 12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
  • 12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
  • 12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
  • 12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
  • 12/22/2021 - Hotfix from Appian released (2.17 update)
  • 12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 29 2021

© 2024 Appian. All rights reserved.