Log4Shell (CVE-2021-44228) - How is PaperCut Affected?

Note: We will continue to update this KB as new information becomes available
Latest update: 20 May 2022 14:00 AEDT

Latest log4j fix update (March 24th, 2022)

  • PaperCut MF/NG version 21.2.8 maintenance release is now publicly available. This maintenance release includes all fixes from previous releases, including log4j 2.17.1 - and in addition removes any dependencies on log4j 1.x. Please note that after upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed - e.g. C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app
  • Payment Gateway module version 219 - updated (Jan 27th) version of the Payment Gateway module to install only required if you are currently using version 207, 210, 213 or 214 of the Payment Gateway (see the ‘Do I need to upgrade the Payment Gateway module?’ question in the FAQs).


PaperCut is aware of the RCE vulnerability in the Apache Log4j library also known as Log4Shell or CVE-2021-44228. This issue has been classified by the Apache Logging security team as a critical severity issue.

This issue can lead to remote code execution or information disclosure on the system running software containing the log4j component where a malicious actor can control any string that is logged. At this point in time our initial triage shows that only PaperCut MF and PaperCut NG have dependencies on the Apache Log4j component.

This Knowledge Base article outlines the impact of this vulnerability on PaperCut products. This is a rapidly evolving situation, we recommend that you revisit this page often for the most current information.

Product Status

Which PaperCut products are impacted?

ProductStatusAction
PaperCut MF (version 21.0.0 up to and including version 21.2.1)ImpactedSee recommendations
PaperCut NG (version 21.0.0 up to and including version 21.2.1)ImpactedSee recommendations
PaperCut MF (version 20.1.6 or earlier)Not impactednone
PaperCut NG (version 20.1.6 or earlier)Not impactednone
PaperCut HiveNot impactednone
PaperCut PocketNot impactednone
PaperCut ViewsNot impactednone
PaperCut Print LoggerNot impactednone
PaperCut Mobility PrintNot impactednone
PaperCut MultiverseNot impactednone
PaperCut Online Services (Scan to Cloud, OCR)Not impactednone

PaperCut NG/MF Components:

ComponentStatusAction
Site Server (version 21.0.0 up to and including version 21.2.1)ImpactedApply the same Application Server fix to the Site Server.
Site Server (version 20.1.6 or earlier)Not impactednone
Job Ticketing (all versions)Not impactednone
Payment gateways (version 207 or later)Not impacted, but upgrade recommended for versions 207, 210, 213, 214See the FAQ section for the ‘Do I need to upgrade the Payment Gateway module’ question.
Payment gateways (version 206 or earlier)Not impactednone
Web Print sandbox (all versions)Not impactednone
Release stations (version 21.0.0 up to and including version 21.2.1)ImpactedSee recommendations
Release stations (version 20.1.6 or earlier)Not impactednone
Release station (Raspberry Pi specific)ImpactedSee Run a PaperCut NG or MF Release Station from a Raspberry Pi for the latest image which includes log4j 2.17.1.
User clients (all versions)Not impactedSee FAQ for more info

Recommendations

Application Server and Site Server Fix

If you are running PaperCut NG or MF version 21.0.0 or later, we highly recommend applying the latest maintenance release (21.2.5).

There have been attacks developed which can circumvent the config change in Option 1, so to close these additional attack vectors we recommend Option 2 - which is that anyone using PaperCut NG/MF 21.x should upgrade to the latest available maintenance release (21.2.5) - through whichever method you normally use to perform upgrades.

We do believe that applying Option 1 (Mitigate via Configuration Change) is the most immediate (but temporary) solution. This fix protects against some cases of exploitation being discussed online. This solution involves a simple configuration change that will effectively mitigate the vulnerability in the affected software, rather than apply a full update to an existing PaperCut NG/MF installation. This change only involves a restart of the application server and minimal impact on the operation of your print solution.

As soon as you are able to - we recommend upgrading to 21.2.5.

Option 1 - Mitigate via Configuration Change

Only use this option if you’re unable to immediately upgrade to 21.2.5.

Windows:

  1. Stop the PaperCut application server (or Site Server).
  2. Navigate to the /server/bin/win folder.
  3. Open the service.conf file in that folder for editing (you will need to open it as Administrator).
  4. Find the line that looks like this: wrapper.java.additional.21=-Dpc-reserved=X
  5. Replace it with this: wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true
  6. Save the file.
  7. Start the PaperCut application server (or Site Server).

macOS:

  1. Stop the PaperCut application server (or Site Server).
  2. Navigate to the /server/custom folder.
  3. Open the launch-app-server.conf file for editing.
  4. Add the following line to the end of the file:
    PC_CUSTOM_SERVER_ARG=-Dlog4j2.formatMsgNoLookups=true
  5. Save the file.
  6. Start the PaperCut application server (or Site Server).

Linux:

  1. Stop the PaperCut application server.
  2. Navigate to the /server/bin/linux-x64 folder (or the linux-i686 or linux-common folder, depending on distro).
  3. Open the app-monitor.conf file in that folder for editing.
  4. Find the line that looks like this: wrapper.java.additional.21=-Dpc-reserved=X
  5. Replace it with this: wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true
  6. Save the file.
  7. Start the PaperCut application server.

Option 2 - Upgrade to PaperCut NG/MF version 21.2.5

  1. Upgrade to version 21.2.5 through your usual upgrade procedures, as soon as possible.

Release Station Fix

Option 1 - Mitigate via Configuration Change

Only use this option if you’re unable to immediately upgrade to 21.2.5.

Windows

  1. For each deployed release station, navigate to the folder containing the release station.
  2. Open pc-release.lap
  3. Add a new line at the end of the file: -Dlog4j2.formatMsgNoLookups=true
  4. Save the file.
  5. Repeat the steps above for each of these files: pc-pay-station.lap; pc-release-manager.lap; pc-release-secure.lap
  6. Restart the release station

macOS

  1. For each deployed release station, navigate to the folder containing the release station.
  2. Open the pc-release-mac.command file.
  3. Find the section at the bottom of the file commented with # Run the program
  4. After the line -Djava.locale.providers=COMPAT,SPI \, insert a new line with:
    -Dlog4j2.formatMsgNoLookups=true \
  5. Save the file.
  6. Restart the release station.

Linux

  1. For each deployed release station, navigate to the folder containing the release station.
  2. Open the pc-release-linux.sh file.
  3. Find the section at the bottom of the file commented with # Run the program
  4. After the line -Djava.locale.providers=COMPAT,SPI \, insert a new line with:
    -Dlog4j2.formatMsgNoLookups=true \
  5. Save the file.
  6. Repeat the steps above for the pc-release-cmd-line.sh file.
  7. Restart the release station.

Option 2 - Upgrade to PaperCut NG/MF version 21.2.5

  1. Apply the configuration change listed in Option 1 (Release Station fix) above to mitigate the most serious vulnerability.
  2. Schedule an upgrade to version 21.2.5 through your usual upgrade procedures.

Once you have upgraded to a PaperCut server version containing the patched libraries, delete and redeploy all release stations using the release station package from the server.

FAQs

Q Is there any impact from applying this fix?

No - there is no impact to PaperCut products. All products will continue to work with zero impact.

Q I have applied the 21.2.5 maintenance release, but I don’t see the config changes applied. Am I protected?

Yes - in the above recommendations, you can apply an immediate config change (Option 1) which involves updating config files with the formatMsgNoLookups string. The preferred method, which is to install 21.2.5, actually includes log4j version 2.17.1 which includes the fix internally, so you will not see the Option 1 config changes after applying the maintenance release. This is expected behavior.

Q I am running the PaperCut User client and see that it’s using log4j 2.x - why does the table above say that the User Client is not impacted?

Good catch! Due to the way our build system works, the User Client actually ships with log4j 1.x and log4j 2.x libraries. The User Client in practice only uses the log4j 1.x libs, so is not impacted by the vulnerability. We do not use the log4j 2.x libs in the User Client - which means it is not vulnerable to attack.

In order to completely remove the log4j 1.x libraries, you’ll need to update to PaperCut NG/MF version 21.2.8.

Q Do I need to upgrade the Payment Gateway module?

  1. Check the Payment Gateway version that you have installed - head into your Application Server file system: [MF/NG installation directory]/server/lib-ext and open the file ext-payment-gateway-version.txt.
  2. Check the line with version-build=
  • IF you are using a gateway with a build number 207 or later (but earlier than 219) then you are not at risk from the vulnerability, however versions of log4j 2.x are included (but not used) in this build, since November 2021. To be completely safe (and to avoid vulnerability scanners flagging this impact) we recommend upgrading to the latest version of the Payment Gateway (219), as detailed through Step 2 of the Setting up the Payment Gateway module article. Version 219 removes the unnecessary log4j files from the gateway installation.
  • IF you are using a gateway with a build number lower than 207, then you are not at risk from the vulnerability, and log4j 2.x libraries are not included in the gateway module.

Note: Version 213 of the Payment Gateway module includes log4j version 2.16. Version 214 of the Payment Gateway module includes log4j version 2.17. Version 219 removes the Payment Gateway installation log4j jar files entirely, and relies on the log4j version installed with the MF/NG Application Server.

Note: This is completely independent from the Application Server version - so even if you are running version 21.2.5 (patched) of the App Server, if you are running a Payment Gateway module version between 207 and 214, we recommend applying the Payment Gateway upgrade too. Alternatively if you are using an earlier non-impacted version of the App Server (e.g. version 20.x or earlier) and you are using a Payment Gateway module version between 207 and 214, we also recommend applying the Payment Gateway upgrade but you do not need to upgrade the Application Server.

Q I see that some PaperCut products use Apache Log4j 1.x, isn’t that also vulnerable to CVE-2021–4104?

No. PaperCut products are not vulnerable to this issue. Version 1.x of Apache Log4j did not include the JNDI lookup functionality that is at the root of Log4Shell. CVE-2021-4104 has been raised to differentiate these issues. The write up by Synk indicates that there is a possibility of a similar style of compromise if the JMSAppender library is present and an attacker can manipulate the TopicBindingName or TopicConnectionFactoryBindingName. PaperCut software does not use JMSAppender or reference the TopicBindingName or TopicConnectionFactoryBindingName. This means there is no known vector to manipulate this vulnerability in PaperCut software. The only other scenario would be if an attacker would have write access to configuration files in order to update the Log4j configuration and this would require an attacker to already be able to access the system.

Note: PaperCut NG/MF version 21.2.8 now completely removes any log4j 1.x dependencies. Please install this latest version if you are concerned about vulnerability scanners flagging the log4j 1.x libraries. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed. e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app

Q Why does my vulnerability scanner show Log4j (e.g. log4j 1.x) as being vulnerable on a version listed as ‘not impacted’ in the table above?

Some vulnerability scanners are showing any version of Log4j before 2.15 as vulnerable. This finding is not supported by any in-depth analysis and may be due to how the data is read from the NVD database. For why version 1.x of Apache Log4j is not vulnerable see the previous FAQ question.

Note: PaperCut NG/MF version 21.2.8 now completely removes any log4j 1.x dependencies. Please install this latest version if you are concerned about vulnerability scanners flagging the log4j 1.x libraries. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed. e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app

In addition, you can manually remove these if needed:

However, if you are wanting to remove any 1.x log4j files (even if they are not vulnerable) because they are getting picked up by security scanners, you can potentially remove them based on the below. Note that the paths are examples and your installation path may differ.

If you are not using the Ricoh remote operation tools, or Sharp configuration tools (or if you don’t have Ricoh or Sharp devices at all), you can safely remove these files:

C:\Program Files\PaperCut MF\providers\hardware\ricoh\sdkj\403046912\log4j-1.2.13.jar
C:\Program Files\PaperCut MF\providers\hardware\ricoh\remote-operation-client\lib\log4j-1.2.17.jar
C:\Program Files\PaperCut MF\server\deployment\sharp\lib\sharp-configuration-tool-all.jar
C:\Program Files\PaperCut MF\providers\hardware\ricoh\sdkj\deprecated\403046656\log4j-1.2.13.jar


If you are not using the macOS User Client Software, you can remove these files:

C:\Program Files\PaperCut MF\client\mac\PCClient.app\Contents\Java\log4j-1.2.17.jar
C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app\Contents\Resources\Java\log4j-1.2.13.jar


If you are not using the Linux User Client Software, you can remove this file:

C:\Program Files\PaperCut MF\client\linux\lib\log4j-1.2.17.jar


If you are not using the Windows User Client Software, you can remove this file:

C:\Program Files\PaperCut MF\client\win\lib\log4j-1.2.17.jar


Please note that the 21.2.8 release of PaperCut MF/NG now removes these dependencies on log4j 1.x.

Q Why does my vulnerability scanner show my Payment Gateway install as vulnerable (in the lib-ext folder)?

If you have upgraded the Payment Gateway (see questions above) you may have multiple versions of log4j*.jar files in the [MF or NG install]/server/lib-ext/ directory. If this is the case, you can safely remove the older versions which are no longer needed.

Note that you may need to stop the PaperCut Application Server service to successfully remove the older files.

You can safely delete instances of the log4j .jar files. Alternatively if you install version 219 of the Payment Gateway module on Windows (see the Payment Gateway question above), it will automatically remove the unnecessary jar files. If you’re wanting to remove these manually, these can be safely removed:

  • log4j-api-2.16.0.jar
  • log4j-core-2.16.0.jar
  • log4j-slf4j-impl-2.16.0.jar
  • log4j-api-2.13.3.jar
  • log4j-core-2.13.3.jar
  • log4j-slf4j-impl-2.13.3.jar
  • log4j-api-2.17.0.jar
  • log4j-core-2.17.0.jar
  • log4j-slf4j-impl-2.17.0.jar

Q I have the latest version of Java - doesn’t that protect me against Log4Shell?

No. There have been examples of executing this under any version of java. The only way to prevent this issue in PaperCut Products is to apply the recommendations outlined in this knowledge base article.

Q Is PaperCut affected by the Log4j 1.2 SocketServer vulnerability (CVE-2019–17571)?

A vulnerability was discovered (originally in 2019) in the SocketServer functionality of Log4j. This has been documented officially on the NIST site here: CVE-2019-17571.

This vulnerability requires the Apache Log4j component to be configured to listen for logging events on a socket. PaperCut Products do not use this feature of Log4j and as such the vulnerability CVE-2019–17571 does not affect PaperCut Products.

Please see our Known Issue PO-693 for more information on this.

Q Is PaperCut affected by CVE-2021–45046?

Yes. We became aware of this issue on the morning of the 15th of December AEST (see here for info: CVE-2021-45046). This new issue is currently only rated moderate severity( CVSS: 3.7 ) and would result in a Denial of Service to the PaperCut MF/NF Application or Site Servers in certain circumstances. Due to the severity of Log4Shell (CVE-2021–44228) we strongly recommend that you do not wait to apply the mitigation for Log4Shell.

Please note: We have addressed this vulnerability in the maintenance release - PaperCut MF/NG version 21.2.3 (which uses log4j 2.16).

Q Is PaperCut affected by CVE-2021–45105?

Yes. This vulnerability has been raised online - see details on CVE-2021-45105. This vulnerability is present in log4j 2.16 (used by PaperCut MF/NG version 21.2.3).

Please note: We have addressed this vulnerability in the maintenance release - PaperCut MF/NG version 21.2.4 (which uses log4j 2.17).

Q What is the difference between the MF/NG versions relating to log4j fixes?

VersionContentsLog4j version
PaperCut MF/NG version 21.2.3Resolves CVE-2021–44228 and CVE-2021–45046log4j 2.16
PaperCut MF/NG version 21.2.4Resolves CVE-2021–45105 (and the previous two vulnerabilities)log4j 2.17
PaperCut MF/NG version 21.2.5Resolves CVE-2021–44832 (and the previous three vulnerabilities)log4j 2.17.1
PaperCut MF/NG version 21.2.6Unintentionally includes log4j 2.17.0. We are looking to replace this with a 21.2.7 build asap which will include log4j 2.17.1. See the known issue about this.log4j 2.17.0
PaperCut MF/NG version 21.2.7Includes all the fixes in 21.2.6 and corrects the log4j version in uselog4j 2.17.1
PaperCut MF/NG version 21.2.8Includes all the fixes in 21.2.7 and removes all dependencies on log4j 1.x librarieslog4j 2.17.1
PaperCut MF/NG version 21.2.9 and .10Includes all the fixes in 21.2.8 and resolves the Spring4Shell vulnerabilitylog4j 2.17.1

Q Are any PaperCut products affected by CVE-2021–44832?

Security researchers have flagged that log4j version 2.17 and earlier can have a remote exploitation vulnerability enabled *if* an attacker is able to edit the log4j config files.

The relevant configuration is not present in any PaperCut products, and an attacker would therefore need file write access (i.e. Administrator level access) to a site’s PaperCut server in order to make the necessary changes and restart the server. As an attacker in this position must already have high level access to the customer environment in order to enable the vulnerability, we consider this a very low risk for PaperCut customers.

Please note: We have addressed this vulnerability in the latest maintenance release - PaperCut MF/NG version 21.2.5 (which uses log4j 2.17.1).

Q Why has the Ricoh SDK/J installer been removed from the PaperCut MF installation?

As per the release note with 21.2.6, we have now removed Ricoh SDK/J v2 (which has been deprecated) from the MF installs on Windows, Linux and macOS [PO-727]. This deprecated (Ricoh deprecated SDK/J a while ago) version was getting flagged by vulnerability scanners, so the client package has now been removed from the server installation. For customers still running SDK/J machines needing the SDK/J package, this can be downloaded here.

Q How is papercut affected by the following security issues that affect log4j 1.x?

The PaperCut MF client does use Log4j 1.x (prior to 21.2.8). Please note that log4j 1.x libraries have now been completely removed with the 21.2.8 maintenance release of PaperCut MF/NG. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed, e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app.

There are some vulnerabilities that affect Log4j 1.x, explanations on how PaperCut MF is affected by these are in the table below.

CVEResponse
CVE-2022–23307This is related to a component called chainsaw. Chainsaw is program for viewing logs in a graphical user interface. PaperCut MF does not use chainsaw.
CVE-2022–23302This issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. PaperCut MF does not configure Log4j to use JMSSink and is not affected by this issue.
CVE-2022–23305This issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. PaperCut MF does not configure Log4j to use JDBCAppender and is not affected by this issue.

References

Security Updates

In order to get notifications of security fixes please subscribe to our security notifications list via our sign up form.

Updates

DateUpdate/Action
10th December 2021 15:27 AEDTIssue reported internally to the security and product team. Initial triage commenced with the intent of providing a known issue posting with mitigation advice.
10th December 2021 16:47 AEDTPublished Known Issue bulletin for PaperCut NG/MF.
11th-12th December 2021Monitored unfolding updates regarding the issue.
13th December 2021 19:14 AEDTPublished this KB article for all products. Produced HotFix for PaperCut NG/MF for customers unable to perform the workaround.
14th December 2021Updated information around Release Station and User client status and mitigations.
14th December 2021Added FAQ section with extra information.
15th December 2021Added link to security subscription form.
15th December 2021 12:00 AEDTUpdated info about CVE-2021–45046
15th December 2021 12:25 AEDTUpdated info about available fixes
15th December 2021 16:01 AEDTUpdated FAQ entry on Log4j 1.x CVE-2021–4104
15th December 2021 16:40 AEDTUpdated with the PaperCut MF/NG 21.2.3 maintenance release information (uses log4j 2.16).
17th December 2021 13:30 AEDTUpdated with the latest Payment Gateway build information
18th December 2021 18:50 AEDTUpdated to include info about CVE-2021–45105
20th December 2021 14:00 AEDTUpdated with latest Payment Gateway module release (version 214) which contains log4j 2.17.
21st December 2021 11:30 AEDTUpdated with the paperCut MF/NG 21.2.4 maintenance release information (uses log4j 2.17).
22nd December 2021 12:00 AEDTIncluded FAQ about cleaning up older log4j versions from the Payment Gateway installation folder.
22nd December 2021 18:50 AEDTReviewed use of Logback in PaperCut products. Determined that at this point no action is required.
30th December 2021 07:30 AEDTReviewed potential impact of CVE-2021–44832. Determined that at this point no action is required.
12th January 2022 11:00 AEDTAdded note confirming we hope to have MF/NG builds available by end of Jan at the latest (to include log4j 2.17.1) and by the end of March 2022 (which will also remove any log4j 1.x dependencies).
27th January 2022 11:00 AEDTUpdated with the PaperCut MF/NG 21.2.5 maintenance release information (uses log4j 2.17.1).
27th January 2022 18:00 AEDTUpdated with the latest Payment Gateway version 219 information (removes log4j).
31st January 2022 10:00 AEDTUpdated with information on Log4j 1.x vulnerabilities.
2nd Feb 2022 12:00 AEDTUpdated to include info on manually removing log4j 1.x files if required / if possible.
7th Feb 2022 16:00 AEDTUpdated with a note about the Raspberry Pi release station image - which has now been updated to log4j 2.17.1.
24th Feb 2022 15:00 AEDTUpdated with a note about 21.2.6 unintentionally including log4j 2.17.0, and a reference to the known issue.
28th Feb 2022 11:00 AEDTUpdated with the PaperCut MF/NG 21.2.7 maintenance release (includes log4j 2.17.1) and closed out the known issue.
28th Feb 2022 11:00 AEDTUpdated to include a note about the removal of the Ricoh SDK/J install package from the build since 21.2.6.
24th March 2022 16:00 AEDTUpdated with the PaperCut MF/NG 21.2.8 maintenance release, which removes all log4j 1.x dependencies.
20 May 2022 14:00 AEDTAdded information about the 21.2.10 build related to the Spring4Shell vulnerability.

Categories: Troubleshooting Articles, Security and Privacy

Keywords:

Comments