Skip to content

16.12.2021

Critical zero-day gap in log4j

In December 2021, a critical security problem was found in the Java framework log4j. As a result, an attacker who could control log messages or log message parameters could execute arbitrary code that is loaded by LDAP servers with message lookup replacement enabled.

Further information on this zero-day security vulnerability can be found here at https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnung/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=6

This library is used in many software products around the world.

The following COBISOFT solutions are not affected:

  • COBI.wms App: Does not use log4j and is an Android app and not a server application anyway.
  • COBI.wms HANA Proxy: does not use log4j.
  • COBI.time is based on Node.JS and does not contain any components written in Java.
  • COBI.edi is based on C # .NET and does not contain any components written in Java.
  • COBI.msv Server: does not use log4j.

The following COBISOFT products or product components are implemented as server-side Java applications:

HANA proxy

The HANA proxy is used to exchange data between the COBI.wms Android app and on-premises installations of the SAP HANA database for SAP Business One. The only external Java component used by the HANA proxy is the Gson JSON library from Google. Log4J is therefore not used in the HANA proxy.

In addition, the communication between the COBI.wms Android app and the HANA proxy takes place in the context of a local network, which is why the HANA proxy installations cannot be accessed from the Internet.

COBI.msv

COBI.msv is an implementation of the server component of the MSV3 v2.0 specification. Installations of COBI.msv are made publicly accessible from the Internet. The following external Java components are imported by COBI.msv:

The Gson JSON library from Google. (com.google.code.gson: gson)
The JAX WS RI runtime library bundle. (com.sun.xml.ws:jaxws-rt)

COBI.msv does not use Log4J directly. However, the import of the JAX WS bundle results in the following list of JAR files that are used indirectly by COBI.msv:

  • activation-1.1.jar
  • FastInfoset-1.2.16.jar
  • gmbal-4.0.0.jar
  • ha-api-3.1.12.jar
  • istack-commons-runtime-3.0.8.jar
  • jakarta.activation-api-1.2.1.jar
  • jakarta.annotation-api-1.3.4.jar
  • jakarta.jws-api-1.1.1.jar
  • jakarta.xml.bind-api-2.3.2.jar
  • jakarta.xml.soap-api-1.4.1.jar
  • jakarta.xml.ws-api-2.3.2.jar
  • javax.mail-1.6.2.jar
  • jaxb-runtime-2.3.2.jar
  • jaxws-rt-2.3.2-1.jar
  • management-api-3.2.1.jar
  • mimepull-1.9.11.jar
  • pfl-asm-4.0.1.jar
  • pfl-basic-4.0.1.jar
  • pfl-basic-tools-4.0.1.jar
  • pfl-dynamic-4.0.1.jar
  • pfl-tf-4.0.1.jar
  • pfl-tf-tools-4.0.1.jar
  • policy-2.7.6.jar
  • saaj-impl-1.5.1.jar
  • stax2-api-4.1.jar
  • stax-ex-1.8.1.jar
  • streambuffer-1.5.7.jar
  • txw2-2.3.2.jar
  • woodstox-core-5.1.0.jar

(The list was generated from a productive installation of COBI.msv 1.1.0.)

These JAR files were thoroughly searched for contained Java .class files as well as nested JAR files. No trace of Log4J was found.

Cookie Consent with Real Cookie Banner