Professional Documents
Culture Documents
Applies to
Archive Center 21.2
Summary
The Log4j third-party component used by Archive Center to keep a record of activity within the
application is affected by the Critical RCE Vulnerability: log4j - CVE-2021-4104 and CVE-2021-44832.
This issue occurs in (but may not be limited to):
We validated that Archive Center versions before 20.2, where log4j-1.x.jar is used, are not impacted by CVE-2021-44228. The
JMSAppender in Log4j third party component which is affected by the Critical RCE Vulnerability: CVE-2021-4104, has no impact on any
of the following versions:
1 of 5 27/6/2022, 2:51 pm
Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...
A threat actor could potentially exploit this vulnerability to remotely execute unauthorized code on systems running Archive Center 20.2
and 21.2.
• CVE-2019-17571
• CVE-2020-9488
• CVE-2022-23302
• CVE-2022-23305
• CVE-2022-23307
Resolution
Due to the threat posed by a successful attack, OpenText strongly recommends that customers follow
the guidelines below as soon as possible:
We STRONGLY recommend implementing this immediate Resolution for Windows, Linux, and AIX Operating Systems
OpenText recommends replacing all Apache log4j x2.0 to 2.14 with the latest log4j2.17.x version.
- automatic script
Download the automatic script from one of the following locations
Windows: opentext_archive_center_log4j_discovery_windows_20220517_log4j_2.17.1.zip
Linux: opentext_archive_center_log4j_discovery_linux_20220321_log4j_2.17.1.zip
2 of 5 27/6/2022, 2:51 pm
Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...
NOTE:
As dpinfo.jar, jdbinstexe.jar, 51NOTS.servtab and ot_acstorage.rar has internal reference of log4j jars, the script cannot identify the
log4j version by reading the name of the file like other log4j jar references. So, it always find/replaces dpinfo.jar, jdbinstexe.jar,
51NOTS.servtab and ot_acstorage.rar in each run.
*NOTE: The script replaces the log4j jar files with the current one (2.17.1). It does not replace the log4j files in the .war files.
**NOTE: It is strongly recommended you backup the target directory before running this script.
- manual modification
Download the hotfix-log4j2-20211230-as-21250.zip (currently containing 2.17.1)
And follow the instructions in the relevant file attached to this article:
*NOTE: always backup your product installation home directory and your application-server directory if applicable
The hotfixes for JMSAppender can be downloaded from the Akamai links below:
Cause
Archive Center 16.2.3 (Archive Center 20.2) uses Log4j 1.2.17 inside the application. Log4j 1.x
comes with JMSAppender.class and JDBCAppender.class, which is not used by Archive Center and
not exploitable. However, if customer wishes to use log4j 1.x with the JMSAppender and
JDBCAppender classes removed, this hotfix can be utilized.
Additional Information
3 of 5 27/6/2022, 2:51 pm
Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...
Tracking Number
CVE-2021-44228, CVE-2021-4104, CVE-2021-44832, AS-21311, AS-21250, AS-21552, AS-21381
Revision History
2021-12-29 changed Readme "KB19864995-AC_21.2_README-17.txt" and "KB19864995-
ACS_21.2_README-17.txt" according to R&D request
2022-01-04 uploaded the Log4j 2.17.1 libraries and the relevant updated txt files (KB19864995-
ACS_21.2_README-171.txt, KB19864995-AC_21.2_README-171.txt, KB19864995-
ASAPI_21.2_README-171.txt)
2022-02-28 add automatic script option from AS-21381
2022-03-17 uploaded and added new versions of the automatic scripts which include the fix for the
DPInfo tool as also stated in the KB19867428
2022-03-25 uploaded and added new versions of the automatic scripts with enhancements in the
Readme.txt
2022-05-18 upload new automatic script zip
"opentext_archive_center_log4j_discovery_windows_20220517_log4j_2.17.1.zip" because of
enhanced README.txt and add note
2022-06-20 add note as discussed with R&D in AS-22583 to section 21.2: "NOTE: If you upgrade to
AC 21.2, you will find a log4j.jar version 1.x in your <tomcat>/lib folder. As this library is not used by
the version 21.2, you can delete it from this folder."
Attachments
KB19864995-AC_21.2_README-171
4 of 5 27/6/2022, 2:51 pm
Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...
KB19864995-ACS_21.2_README-171
KB19864995-ASAPI_21.2_README-171
Keywords
CVE-2021-44228, Vulnerability, log4j , ACS, ASAPI, CVE-2021-4104, CVE-2021-44832,
CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307
5 of 5 27/6/2022, 2:51 pm