Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...

Archive Center - Log4j Vulnerability

KB19864995
Article ID:

Applies to
Archive Center 21.2

Summary
The Log4j third-party component used by Archive Center to keep a record of activity within the
application is affected by the Critical RCE Vulnerability: log4j - CVE-2021-4104 and CVE-2021-44832.
This issue occurs in (but may not be limited to):

• Archive Center 20.2

• Archive Center 21.2

We validated that Archive Center versions before 20.2, where log4j-1.x.jar is used, are not impacted by CVE-2021-44228. The
JMSAppender in Log4j third party component which is affected by the Critical RCE Vulnerability: CVE-2021-4104, has no impact on any
of the following versions:

• Archive Center 16.2

• Archive Center 16
• Archive Server 10.5.0
• Archive Server 10.1.1
• Archive Server 9.7.1
• Archive Server 9.6.1

1 of 5 27/6/2022, 2:51 pm
Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...

A threat actor could potentially exploit this vulnerability to remotely execute unauthorized code on systems running Archive Center 20.2
and 21.2.

Adding following CVEs as a result of JIRA AS-21552:

• CVE-2019-17571
• CVE-2020-9488
• CVE-2022-23302
• CVE-2022-23305
• CVE-2022-23307

Resolution
Due to the threat posed by a successful attack, OpenText strongly recommends that customers follow
the guidelines below as soon as possible:

Archive Center 21.2

NOTE: If you upgrade to AC 21.2 from a previous AC version, you will find a log4j.jar version 1.x in your "<tomcat>/lib" folder. As this
library is not used by the version 21.2, you can delete it from this folder.
Long Term Mitigation Strategy
Future versions will contain the latest version of Log4J which will be vulnerability free.

Short Term RESOLUTION

*NOTE: If you upgrade from a previous version of Archive Center to version 21.2, there is still a log4j.jar version 1.x located in
<tomcat>/lib folder.
This is an outdated library, which is not required for AC 21.2. You can delete this log4j.jar from <tomcat>/lib folder.

We STRONGLY recommend implementing this immediate Resolution for Windows, Linux, and AIX Operating Systems

OpenText recommends replacing all Apache log4j x2.0 to 2.14 with the latest log4j2.17.x version.

There are 2 Options available:

- automatic script
Download the automatic script from one of the following locations

Windows: opentext_archive_center_log4j_discovery_windows_20220517_log4j_2.17.1.zip
Linux: opentext_archive_center_log4j_discovery_linux_20220321_log4j_2.17.1.zip

Please refer to the README.txt file for further instructions.

If no log4j jars occurrence was found in find/replace script then it has been replaced with version 2.17.1 and please ignore dpinfo.jar,
jdbinstexe.jar, 51NOTS.servtab and ot_acstorage.rar.

2 of 5 27/6/2022, 2:51 pm
Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...

NOTE:
As dpinfo.jar, jdbinstexe.jar, 51NOTS.servtab and ot_acstorage.rar has internal reference of log4j jars, the script cannot identify the
log4j version by reading the name of the file like other log4j jar references. So, it always find/replaces dpinfo.jar, jdbinstexe.jar,
51NOTS.servtab and ot_acstorage.rar in each run.
*NOTE: The script replaces the log4j jar files with the current one (2.17.1). It does not replace the log4j files in the .war files.
**NOTE: It is strongly recommended you backup the target directory before running this script.

- manual modification
Download the hotfix-log4j2-20211230-as-21250.zip (currently containing 2.17.1)

And follow the instructions in the relevant file attached to this article:

• KB19864995-AC_21.2_README-171.txt for the Archive Center

• KB19864995-ACS_21.2_README-171.txt for the Archive Cache Server
• KB19864995-ASAPI_21.2_README-171.txt for the Archive Server API

*NOTE: always backup your product installation home directory and your application-server directory if applicable

the sha256 Checksum of the zipfile for your verification

14529975a146e1a5f1fe949d66aaef1c7030bb3478c9f41953a2f7a2d31c9f62 *hotfix-log4j2-20211230-as-21250.zip
The .txt files contain the checksums of the contents of the zip file as well.

Archive Center 20.2

Due to the threat posed by a successful attack, OpenText strongly recommends that customers follow the guidelines below as soon as
possible:

The hotfixes for JMSAppender can be downloaded from the Akamai links below:

• Windows & Linux - https://mimage.opentext.com/support/ecm/secure/patches

/ixos/archivecenter/20.2/hotfixes/eccn-26648/hotfix-20211230-as-21311.zip
• AIX - https://mimage.opentext.com/support/ecm/secure/patches/ixos/archivecenter
/20.2/hotfixes/eccn-26648/hotfix-20211230-as-21311-aix.zip

Cause
Archive Center 16.2.3 (Archive Center 20.2) uses Log4j 1.2.17 inside the application. Log4j 1.x
comes with JMSAppender.class and JDBCAppender.class, which is not used by Archive Center and
not exploitable. However, if customer wishes to use log4j 1.x with the JMSAppender and
JDBCAppender classes removed, this hotfix can be utilized.

Additional Information
3 of 5 27/6/2022, 2:51 pm
Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...

Archive Center 20.2 and lower | JMSAppender in Log4j1.X vulnerability (CVE-2021-4104):

https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/view/KB19910877
Core Archive: https://knowledge.opentext.com/go/KB19866831
Document Pipeline 21.2: https://knowledge.opentext.com/go/KB19867428
Transactional Content Processing 16.1.0 https://knowledge.opentext.com/go/KB19865944
Web Viewer 21.4: https://knowledge.opentext.com/go/KB19866869
If customers do not want to use log4j 1.x at all, OpenText recommendation is to upgrade to the latest
Archive Center version (currently 21.2).

Tracking Number
CVE-2021-44228, CVE-2021-4104, CVE-2021-44832, AS-21311, AS-21250, AS-21552, AS-21381

Revision History
2021-12-29 changed Readme "KB19864995-AC_21.2_README-17.txt" and "KB19864995-
ACS_21.2_README-17.txt" according to R&D request
2022-01-04 uploaded the Log4j 2.17.1 libraries and the relevant updated txt files (KB19864995-
ACS_21.2_README-171.txt, KB19864995-AC_21.2_README-171.txt, KB19864995-
ASAPI_21.2_README-171.txt)
2022-02-28 add automatic script option from AS-21381
2022-03-17 uploaded and added new versions of the automatic scripts which include the fix for the
DPInfo tool as also stated in the KB19867428
2022-03-25 uploaded and added new versions of the automatic scripts with enhancements in the
Readme.txt
2022-05-18 upload new automatic script zip
"opentext_archive_center_log4j_discovery_windows_20220517_log4j_2.17.1.zip" because of
enhanced README.txt and add note
2022-06-20 add note as discussed with R&D in AS-22583 to section 21.2: "NOTE: If you upgrade to
AC 21.2, you will find a log4j.jar version 1.x in your <tomcat>/lib folder. As this library is not used by
the version 21.2, you can delete it from this folder."

Attachments
KB19864995-AC_21.2_README-171

4 of 5 27/6/2022, 2:51 pm
Firefox https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/vie...

KB19864995-ACS_21.2_README-171

KB19864995-ASAPI_21.2_README-171

Keywords
CVE-2021-44228, Vulnerability, log4j , ACS, ASAPI, CVE-2021-4104, CVE-2021-44832,
CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307

5 of 5 27/6/2022, 2:51 pm