<Overview>
A vulnerability (CVE-2021-44228) was discovered in the Apache Log4j library that allows remote code execution.
In addition, the vulnerability of Denial of Service (CVE-2021-45046 and CVE-2021-45105) was discovered in the library.
This FAQ describes the effects of these vulnerabilities on intra-mart products.
<Affected products>
・IM-ContentsSearch for Accel Platform
This will affect customers using 2021 Spring or later who use Apache Solr, which is available from the Product File Download site.
The affected Apache Solr contains a log4j-core-2.13.2.jar whose vulnerabilities have been confirmed.
The effects of CVE-2021-44228 have been confirmed on Apache Solr, however, the effects of CVE-2021-45046 and CVE-2021-45105 have not been confirmed.
https://solr.apache.org/security.html
・IM-SecureSignOn for Accel Platform
Customers using 2019 Winter or later are affected if they use any of the following available from the Product File Download site.
・IM-SecureSignOn-8.0.4.zip
・IM-SecureSignOn-8.0.5.zip
The affected version of VANADIS SecureJoin SSO Login Server uses Apache Log4j.
The developer of VANADIS SecureJoin SSO Login Server is currently under investigation, but the effects of CVE-2021-45046 and CVE-2021-45105 on the standard settings have not been confirmed.
■ Correspondence method
・IM-ContentsSearch for Accel Platform
Since December 24, 2021, we have offered the Apache Solr that is not affected by the vulnerabilities.
https://issue.intra-mart.jp/issues/34041
If you use Apache Solr that is affected by the vulnerabilities, please download solr.zip from the Product File Download site and follow the procedure below to migrate.
https://document.intra-mart.jp/library/iap/public/im_contents_search/solr_administrator_guide/texts/operation/index.html#migration
・IM-SecureSignOn for Accel Platform
The documents for dissemination are distributed by the manufacturer of VANADIS products.
The countermeasures described in the dissemination document are described here.
Please take measures against the vulnerability by upgrading the version of Apache Log4j included in VANADIS SecureJoin SSO Login Server.
1. Preparation of materials
2. Selection of materials to be replaced
3. Replacement of materials
<1. Preparation of Materials>
Please download the version 2.17.0 corresponding to the vulnerabilities from the Apache Log4j official website below.
URL:https://logging.apache.org/log4j/2.x/download.html
Material to obtain:
Apache Log4j 2 binary (tar.gz) |apache-log4j-2.17.0-bin.tar.gz
Apache Log4j 2 binary (zip) |apache-log4j-2.17.0-bin.zip
* Please download either tar.gz or zip according to your environment.
<2. Selection of materials to be replaced>
Prepare the following materials required for updating from the materials obtained in step 1.
・log4j-web-2.17.0.jar
・log4j-api-2.17.0.jar
・log4j-core-2.17.0.jar
・log4j-jcl-2.17.0.jar
<3. Replacement of materials>
Save the following replacement target files of the target VANADIS SecureJoin SSO Login Server to another directory, and then store the file obtained in step 2 in the replacement target file path.
Path of the file to be replaced: {Installation directory*}/WEB-INF/lib
* Sample of SecureJoin SSO Server: /usr/local/tomcat/webapps/sso
The name of the files to be replaced:
・log4j-web-2.xx.x.jar
・log4j-api-2.xx.x.jar
・log4j-core-2.xx.x.jar
・log4j-jcl-2.xx.x.jar
*The "x" part at the end of the version notation of a file name differs depending on the product.
<Unaffected products - 1>
We have confirmed that the following products do not use log4j 2.x and log4j 1.x.
Also, as a standard log output function, the log is output using the API of log4j-over-slf4j-xxxx.jar.
log4j-over-slf4j-xxxx.jar has an interface of log4j, however, this vulnerability does not apply because it is another implementation that changes the processing to slf4j.
intra-mart Accel Platform
intra-mart Accel Collaboration (including electronic conference room and questionnaire)
intra-mart Accel Documents
intra-mart Accel Documents Secure Download Option
intra-mart Accel GroupMail
intra-mart DPS Series
IM-RPA (including im_winactor_agent)
IM-BPM for Accel Platform
IM-ERP Real Connect for Accel Platform
IM-BloomMaker for Accel Platform
Accel Studio
IM-FormaDesigner for Accel Platform
IM-BIS for Accel Platform
IM-Spreadsheet for Accel Platform
intra-mart WebPlatform / AppFramework
intra-mart BaseModule
intra-mart e Builder for Accel Platform
IM-Juggling
Middleware (distributed via the Product File Download site)
Caucho Resin
intra-mart Accel Archiver
intra-mart Accel Kaiden! Travel expanse
intra-mart Accel Kaiden! Work management
intra-mart Accel Kaiden! My number
IM-X-Server
IM-X Server DB Bridge
IM-X Server Management Service
IM-PDFAutoConverter for Accel Platform
IM-PDFDesigner for Accel Platform
IM-PDFDesigner FullPack for Accel Platform
IM-PDFDirectPrint for Accel Platform
IM-PDFTimeStamper for Accel Platform
Accel-Mart Quick/Plus
<Unaffected products - 2>
We have confirmed that the following products use log4j 1.x and that they are not affected by the vulnerabilities.
IM-PDFCoordinator for Accel Platform
Apache Cassandra 1.1.12
<Peripheral middleware products>
Please contact each vendor for middleware products such as Web servers and databases that you have installed.
FAQID:1133