This document describes Product Sustaining’s position relative to the support of a branded application.
Overview
This document addresses concerns about the TIE Server and the vulnerabilities listed below:
Descriptions
- CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. This issue only affects Log4j 1.2 when configured to use JMSAppender, which isn’t the default. Apache Log4j 1.2 reached End of Life in August 2015. Users must upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
https://web.nvd.nist.gov/view/vuln/detail?ulnId=CVE-2021-4104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
- CVE-2019-17571
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data. This class can be exploited to remotely execute arbitrary code when combined with a deserialization gadget, when listening to untrusted network traffic for log data. This issue affects Log4j versions up to 1.2 up to 1.2.17.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
Research and Conclusions
The TIE Server engineering team has reviewed the vulnerabilities and determined that it does
not affect TIE Server.
- CVE-2021-4104
TIE Server isn’t vulnerable, because JMSAppender isn’t configured in our log config and TIE Server isn’t using JMSAppender.
- CVE-2019-17571
TIE Server isn’t vulnerable. TIE Server use of log4J is basic when referring to the log on the local file system. In addition, TIE Server doesn’t use the network logging appender.
