KB-2204 Information about the Log4j2 security vulnerability (CVE-2021-44228)

Zach Puderbach — Thu, 14 Apr 2022 18:50:31 GMT

Current Revision posted to Appian Knowledge Base by Zach Puderbach on 4/14/2022 6:50:31 PM

Following the December 10, 2021 announcement of the critical Log4j2 security vulnerability (CVE-2021-44228), Appian determined that impacted versions of Log4j2 were being used in the Appian platform. Appian has taken the following actions in response:

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j 2.x instances to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgraded all log4j2 2.x instances to 2.17.1.
On March 11, 2022, Appian released an additional hotfix that replaces the use of log4j 1.2.17 versions across all components except for Service Manager. There is no patch available for these components at this time, but Appian expects to update these components by early Q2. In the meantime, Appian has confirmed that our usage of Log4j 1.2.17 is not vulnerable to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307.
On March 25, 2022, Appian released an additional hotfix on all supported versions except for 22.1 that replaces the use of log4j 1.2.17 versions within Kafka and Zookeeper.
On April 8, 2022, Appian released an additional hotfix for 22.1 that replaces the use of log4j 1.2.17 versions within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform

Appian customers’ support contacts have been notified of the availability of these hotfixes.

Additional Notes:

CVE-2021-4104 is a new, but related vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1
3/11/2022 - Hotfix from Appian released, updating log4j 1.2.17 across all components except Kafka and Zookeeper (refer to #7 above for additional details)
3/25/2022 - Hotfix from Appian released for all supported versions except for 22.1, updating log4j 1.2.17 within Kafka and Zookeeper.
4/8/2022 - Hotfix from Appian for 22.1 is released, updating log4j 1.2.17 within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform.

Affected Versions

This article applies to all supported versions of Appian.

Last Reviewed: April 14, 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerability (CVE-2021-44228)

Elly Meng — Mon, 28 Mar 2022 18:32:24 GMT

Revision 32 posted to Appian Knowledge Base by Elly Meng on 3/28/2022 6:32:24 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j 2.x instances to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgraded all log4j2 2.x instances to 2.17.1.
On March 11, 2022, Appian released an additional hotfix that replaces the use of log4j 1.2.17 versions across all components except for Service Manager. There is no patch available for these components at this time, but Appian expects to update these components by early Q2. In the meantime, Appian has confirmed that our usage of Log4j 1.2.17 is not vulnerable to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307.
On March 25, 2022, Appian released an additional hotfix on supported versions that replaces the use of log4j 1.2.17 versions within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform.

Appian customers’ support contacts have been notified of the availability of these hotfixes.

Additional Notes:

CVE-2021-4104 is a new, but related vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1
3/11/2022 - Hotfix from Appian released, updating log4j 1.2.17 across all components except Kafka and Zookeeper (refer to #7 above for additional details)
3/25/2022 - Hotfix from Appian released, updating log4j 1.2.17 within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform

Affected Versions

This article applies to all supported versions of Appian.

Last Reviewed: March 28 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerability (CVE-2021-44228)

Elly Meng — Mon, 28 Mar 2022 17:52:46 GMT

Revision 31 posted to Appian Knowledge Base by Elly Meng on 3/28/2022 5:52:46 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j 2.x instances to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgraded all log4j2 2.x instances to 2.17.1.
On March 11, 2022, Appian released an additional hotfix that replaces the use of log4j 1.2.17 versions across all components except for Service Manager. There is no patch available for these components at this time, but Appian expects to update these components by early Q2. In the meantime, Appian has confirmed that our usage of Log4j 1.2.17 is not vulnerable to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307.
On March 25, 2022, Appian released an additional hotfix on supported versions that replaces the use of log4j 1.2.17 versions within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform.

Appian customers’ support contacts have been notified of the availability of these hotfixes.

Additional Notes:

CVE-2021-4104 is a new, but related vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1
3/11/2022 - Hotfix from Appian released, updating log4j 1.2.17 across all components except Kafka and Zookeeper (refer to #7 above for additional details)
3/25/2022 - Hotfix from Appian released, updating log4j 1.2.17 within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 28 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerability (CVE-2021-44228)

Elly Meng — Mon, 28 Mar 2022 17:50:18 GMT

Revision 30 posted to Appian Knowledge Base by Elly Meng on 3/28/2022 5:50:18 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j 2.x instances to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgraded all log4j2 2.x instances to 2.17.1.
On March 11, 2022, Appian released an additional hotfix that replaces the use of log4j 1.2.17 versions across all components except for Service Manager. There is no patch available for these components at this time, but Appian expects to update these components by early Q2. In the meantime, Appian has confirmed that our usage of Log4j 1.2.17 is not vulnerable to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307.
On March 25, 2022, Appian released an additional hotfix on supported versions that replaces the use of log4j 1.2.17 versions within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform.

Appian customers’ support contacts have been notified of the availability of these hotfixes.

Additional Notes:

CVE-2021-4104 is a new, but related vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1
3/11/2022 - Hotfix from Appian released, updating log4j 1.2.17 across all components except Kafka and Zookeeper (refer to #7 above for additional details)
3/25/2022 - Hotfix from Appian released, updating log4j 1.2.17 within Kafka and Zookeeper. With this update, there is no remaining usage of log4j 1.x versions within the Appian Platform

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 28 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerability (CVE-2021-44228)

Parmida Borhani — Tue, 15 Mar 2022 00:09:23 GMT

Revision 29 posted to Appian Knowledge Base by Parmida Borhani on 3/15/2022 12:09:23 AM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgrades all log4j2 2.x instances to 2.17.1.
On March 11, 2022, Appian released an additional hotfix that replaces the use of log4j 1.2.17 versions across all components except for Service Manager. There is no patch available for these components at this time, but Appian expects to update these components by early Q2. In the meantime, Appian has confirmed that our usage of Log4j 1.2.17 is not vulnerable to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307.

Appian customers’ support contacts have been notified of the availability of these hotfixes.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)i
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1.
3/11/2022 - Hotfix from Appian released, updating log4j 1.2.17 across all components except Kafka and Zookeeper (refer to #7 above for additional details).

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 14 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Elly Meng — Mon, 31 Jan 2022 21:55:15 GMT

Revision 28 posted to Appian Knowledge Base by Elly Meng on 1/31/2022 9:55:15 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgrades all log4j2 2.x instances to 2.17.1.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.
Appian uses Log4j 1.2.17, and just like every other third-party component within the Appian platform, we monitor it for new vulnerabilities. Should a vulnerability related to Log4j 1.2.17 be discovered, we will investigate the vulnerability to determine if the Appian platform is impacted and remediate the issue as necessary as part of our normal hotfix process. At this time, Appian is unaware of any vulnerabilities within Log4j 1.2.17 that impact the Appian platform. Specifically, Appian is not vulnerable to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307. In the future, Appian has plans to upgrade all Log4j 1.2.17 to the latest version of Log4j 2.x. While we are unable to provide additional details on the expected timeline at this time, our security team will continue to monitor the threat landscape related to Log4j and keep customers informed as developments arise.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)i
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 31 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Elly Meng — Mon, 31 Jan 2022 21:51:51 GMT

Revision 27 posted to Appian Knowledge Base by Elly Meng on 1/31/2022 9:51:51 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgrades all log4j2 2.x instances to 2.17.1.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.
Appian uses Log4j 1.2.17, and just like every other third-party component within the Appian platform, we monitor it for new vulnerabilities. Should a vulnerability related to Log4j 1.2.17 be discovered, we will investigate the vulnerability to determine if the Appian platform is impacted and remediate the issue as necessary as part of our normal hotfix process. At this time, Appian is unaware of any vulnerabilities within Log4j 1.2.17 that impact the Appian platform. Specifically, Appian is not vulnerable to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307. In the future, Appian has plans to upgrade all Log4j 1.2.17 to the latest version of Log4j 2.x. While we are unable to provide additional details on the expected timeline at this time, our security team will continue to monitor the threat landscape related to Log4j and keep customers informed as developments arise.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)i
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 31 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Elly Meng — Fri, 21 Jan 2022 22:26:24 GMT

Revision 26 posted to Appian Knowledge Base by Elly Meng on 1/21/2022 10:26:24 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgrades all log4j2 2.x instances to 2.17.1.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.
Appian uses Log4j 1.2.17, and just like every other third-party component within the Appian platform, we monitor it for new vulnerabilities. Should a vulnerability related to Log4j 1.2.17 be discovered, we will investigate the vulnerability to determine if the Appian platform is impacted and remediate the issue as necessary as part of our normal hotfix process. At this time, Appian is unaware of any vulnerabilities within Log4j 1.2.17 that impact the Appian platform. In the future, Appian has plans to upgrade all Log4j 1.2.17 to the latest version of Log4j 2.x. While we are unable to provide additional details on the expected timeline at this time, our security team will continue to monitor the threat landscape related to Log4j and keep customers informed as developments arise.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 21 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Elly Meng — Fri, 21 Jan 2022 22:20:53 GMT

Revision 25 posted to Appian Knowledge Base by Elly Meng on 1/21/2022 10:20:53 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgrades all log4j2 2.x instances to 2.17.1.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.
Appian uses Log4j 1.2.17, and just like every other third-party component within the Appian platform, we monitor it for new vulnerabilities. Should a vulnerability related to Log4j 1.2.17 be discovered, we will investigate the vulnerability to determine if the Appian platform is impacted and remediate the issue as necessary as part of our normal hotfix process. At this time, Appian is unaware of any vulnerabilities within Log4j 1.2.17 that impact the Appian platform. In the future, Appian has plans to upgrade all Log4j 1.2.17 to the latest version of Log4j 2.x. While we are unable to provide additional details on the expected timeline at this time, our security team will continue to monitor the threat landscape related to Log4j and keep you informed as developments arise.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 21 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Parmida Borhani — Tue, 18 Jan 2022 00:38:37 GMT

Revision 24 posted to Appian Knowledge Base by Parmida Borhani on 1/18/2022 12:38:37 AM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.
On January 17, 2021, Appian released an additional hotfix that upgrades all log4j2 2.x instances to 2.17.1.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, as of January 17 2022, Appian has updated all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.
1/17/2022 - Hotfix from Appian released, upgrading all log4j2 2.x instances to 2.17.1.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 17 2022

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Elly Meng — Thu, 30 Dec 2021 21:08:32 GMT

Revision 23 posted to Appian Knowledge Base by Elly Meng on 12/30/2021 9:08:32 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, Appian still plans to update all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 29 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Elly Meng — Thu, 30 Dec 2021 21:08:08 GMT

Revision 22 posted to Appian Knowledge Base by Elly Meng on 12/30/2021 9:08:08 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, Appian still plans to update all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 30 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Elly Meng — Wed, 29 Dec 2021 17:34:50 GMT

Revision 21 posted to Appian Knowledge Base by Elly Meng on 12/29/2021 5:34:50 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.
CVE-2021-44832 is a new vulnerability against Log4j2, announced December 28, 2021. Unauthenticated and basic users do not have the ability to modify the log4j logging configuration file within the Appian platform. However, Appian still plans to update all instances of Log4j 2.x to 2.17.1 through our normal hotfix cycle.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)
12/28/2021 - CVE-2021-44832 vuln (CVSS 3.1) released (2.17.1 update). This is a medium severity issue that Appian plans to patch through our normal hotfix cycle.

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 23 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Parmida Borhani — Thu, 23 Dec 2021 22:15:45 GMT

Revision 20 posted to Appian Knowledge Base by Parmida Borhani on 12/23/2021 10:15:45 PM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Appian customers’ support contacts have been notified of the availability of this hotfix.

Additional Notes:

CVE-2021-4104 is a new, but related, vulnerability against Log4j2, announced December 14, 2021. Appian does not use the JMSAppender in any instances of 1.x. Therefore, the Appian platform is not impacted by this CVE.

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 23 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Parmida Borhani — Thu, 23 Dec 2021 07:43:58 GMT

Revision 19 posted to Appian Knowledge Base by Parmida Borhani on 12/23/2021 7:43:58 AM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Additional Notes:

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 22 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Parmida Borhani — Thu, 23 Dec 2021 07:40:01 GMT

Revision 18 posted to Appian Knowledge Base by Parmida Borhani on 12/23/2021 7:40:01 AM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Additional Notes:

Timeline:

12/10/2021 - CVE-2021-44228. Vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 22 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Parmida Borhani — Thu, 23 Dec 2021 07:37:39 GMT

Revision 17 posted to Appian Knowledge Base by Parmida Borhani on 12/23/2021 7:37:39 AM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Additional Notes:

Timeline:

12/10/2021 - CVE-2021-44228 vuln (CVSS 10) released
12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations
12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply
12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0
12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components Elasticsearch) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 22 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Parmida Borhani — Thu, 23 Dec 2021 07:37:03 GMT

Revision 16 posted to Appian Knowledge Base by Parmida Borhani on 12/23/2021 7:37:03 AM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Additional Notes:

Timeline:

12/10/2021 - CVE-2021-44228 vuln (CVSS 10) released

12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations

12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply

12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0

12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components Elasticsearch) on 12/22/2021
12/22/2021 - Hotfix from Appian released (2.17 update)

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 22 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046)

Parmida Borhani — Thu, 23 Dec 2021 07:34:23 GMT

Revision 15 posted to Appian Knowledge Base by Parmida Borhani on 12/23/2021 7:34:23 AM

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
Appian confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions used in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability.
On December 11, 2021, Appian released a hotfix for all supported Appian releases, upgrading Log4j to version 2.15 in accordance with NIST’s recommendation. Appian notified customers’ designated support contacts of the hotfix availability. This hotfix has been deployed to all Appian Cloud environments.
On December 11, 2021, Appian published new versions of the following affected plugins that are supported by Appian:
Appian contacted plugin authors for Appian Community supported plugins, encouraging them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, Appian customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)
On December 22, 2021, Appian released an additional hotfix that provides the following updates:
- Appian previously identified one third-party component, whose codebase is not within Appian’s control, where a fix was not yet issued by the third-party. In order to mitigate the original vulnerability, Appian applied the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. The December 22, 2021 hotfix now fully addresses this by upgrading Log4j in this component to version 2.17.0.
- On December 14, 2021 a new, but related, vulnerability against log4j2 (CVE-2021-45046) was announced with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any location. In the absence of using that format, the Appian platform is not vulnerable to this CVE. While the Appian platform is not affected by this vulnerability, Appian has taken the NIST-recommended action for this CVE by updating Log4j from version 2.15.0 to version 2.17.0.

Additional Notes:

Timeline:

12/10/2021 - CVE-2021-44228 vuln (CVSS 10) released

12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations

12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply

12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0

12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply
12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components Elasticsearch) on 12/22/2021

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 22 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerability (CVE-2021-44228)

Elly Meng — Tue, 21 Dec 2021 15:57:24 GMT

Revision 14 posted to Appian Knowledge Base by Elly Meng on 12/21/2021 3:57:24 PM

Through investigation, Appian has determined that we are using potentially impacted versions of Log4j2 within our product (CVE-2021-44228), including 3 of our Appian supported utilities. Currently, Appian is not aware of any breach or indicators of compromise related to this vulnerability in our security monitoring, whether internal or external.

We have confirmed that the JDK (Java Platform, Standard Edition Development Kit) versions that Appian uses in its latest hotfix (11.0.12+7 and 8u312) are not affected by the LDAP (Lightweight Directory Access Protocol) attack vector in this CVE (Common Vulnerabilities and Exposures). In these versions, “com.sun.jndi.ldap.object.trustURLCodebase” is set to “false”, meaning JNDI (Java Naming and Directory Interface) cannot load a remote codebase using LDAP. However, there may potentially be other attack vectors targeting this vulnerability. Our teams have been treating this issue as one of highest priority.

Hotfix releases have been created for 19.4 releases and forward, and were made available to customers on Saturday, December 11. In these hotfixes, vulnerable versions of Log4j2 have been upgraded to version 2.15.0. Customers’ designated support contacts have been notified by email of the hotfix availability.

Appian Cloud customers are being notified by our Support team of mandatory scheduling of maintenance windows for deploying the hotfix to their sites, following Appian’s Critical Maintenance procedures. For self-managed customers, Appian has made the hotfix installers available for download.

Appian has also published new versions of the following affected plugins that are supported by Appian:

For Community maintained plugins, Appian has contacted plugin authors and encouraged them to review their plugins for this vulnerability and publish updates if they are affected. As all AppMarket plugins are open-source, customers also have the ability to inspect and update independently (and can publish their updates back to the AppMarket)

Additional Notes:

For third-party components running version 2.11.1, i.e., components which still need to have the patch applied but whose codebase is not within Appian’s control, Appian has taken steps to mitigate the vulnerability, for instance by applying the NIST-recommended system setting/property "log4j2.formatMsgNoLookups" to “true” where needed. Appian has identified one third-party component that is still on 2.11.1. Given that Appian has applied the NIST-recommended mitigation approach mentioned above, Appian expects to upgrade this component and make this available to customers through standard maintenance procedures once the patch becomes available.

CVE-2021-45046 is a new, but related, vulnerability against Log4j2, originally announced on December 14, 2021 with a provisional CVSS score of 3.7 (low) and updated December 17, 2021 to a CVSS score of 9.0 (Critical). Appian’s current configuration mitigates risks associated with this CVE since Appian does not use pattern layouts with a context lookup (ex: ctx) in any locations. In absence of using that format, the Appian platform is not vulnerable to the vulnerabilities as described within CVE-2021-45046. While the Appian platform is not affected by this vulnerability, Appian is in the process of updating to version 2.17 and will make this update available to customers through standard maintenance procedures once available.

Timeline:

12/10/2021 - CVE-2021-44228 vuln (CVSS 10) released

12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations

12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply

12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0

12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply

12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components Elasticsearch) on 12/22/2021

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 21 2021

Tags: logging, Security, installation

KB-2204 Information about the Log4j2 security vulnerability (CVE-2021-44228)

Elly Meng — Tue, 21 Dec 2021 15:50:19 GMT

Revision 13 posted to Appian Knowledge Base by Elly Meng on 12/21/2021 3:50:19 PM

Appian has also published new versions of the following affected plugins that are supported by Appian:

Additional Notes:

Timeline:

12/10/2021 - CVE-2021-44228 vuln (CVSS 10) released

12/11/2021 - Hotfix from Appian released (2.15 update), including Apache and NIST recommended mitigations

12/14/2021 - CVE-2021-45046 vuln (CVSS 3.7) released (2.16 update); relevant mitigations still apply

12/17/2021 - CVE-2021-45046 CVSS score was elevated to 9.0

12/18/2021 - CVE-2021-45105 vuln (CVSS 7.5) released (2.17 update); relevant mitigations still apply

12/21/2021 - Appian updates plans to issue a hotfix upgrading all log4j2 2.x instances to 2.17 (including relevant third-party components Elasticsearch) on 12/22/2021

Appian response to the FedRAMP Log4j2 questionnaire is in-progress and will be available on OMB Max.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: December 21 2021

Tags: logging, Security, installation