Log4Shell (CVE-2021-44228) - How is PaperCut Affected?
Latest update : 10 Jan 2023 16:00 AEDT
PaperCut is aware of the RCE vulnerability in the Apache Log4j library also known as Log4Shell or CVE-2021-44228. This issue has been classified by the Apache Logging security team as a critical severity issue.
This issue can lead to remote code execution or information disclosure on the system running software containing the log4j component where a malicious actor can control any string that is logged. At this point in time our initial triage shows that only PaperCut MF and PaperCut NG have dependencies on the Apache Log4j component.
This Knowledge Base article outlines the impact of this vulnerability on PaperCut products. This is a rapidly evolving situation, we recommend that you revisit this page often for the most current information.
Product Status
Which PaperCut products are impacted?
Product | Status | Action |
PaperCut MF (version 21.0.0 up to and including version 21.2.1) | Impacted | See recommendations |
PaperCut NG (version 21.0.0 up to and including version 21.2.1) | Impacted | See recommendations |
PaperCut MF (version 20.1.6 or earlier) | Not impacted | none |
PaperCut NG (version 20.1.6 or earlier) | Not impacted | none |
PaperCut Hive | Not impacted | none |
PaperCut Pocket | Not impacted | none |
PaperCut Views | Not impacted | none |
PaperCut Print Logger | Not impacted | none |
PaperCut Mobility Print | Not impacted | none |
PaperCut Multiverse | Not impacted | none |
PaperCut Online Services (Scan to Cloud, OCR) | Not impacted | none |
PaperCut NG/MF Components:
Component | Status | Action |
Site Server (version 21.0.0 up to and including version 21.2.1) | Impacted | Apply the same Application Server fix to the Site Server. |
Site Server (version 20.1.6 or earlier) | Not impacted | none |
Job Ticketing (all versions) | Not impacted | none |
Payment gateways (version 207 or later) | Not impacted, but upgrade recommended for versions 207, 210, 213, 214 | See the FAQ section for the ‘Do I need to upgrade the Payment Gateway module’ question. |
Payment gateways (version 206 or earlier) | Not impacted | none |
Web Print sandbox (all versions) | Not impacted | none |
Release stations (version 21.0.0 up to and including version 21.2.1) | Impacted | See recommendations |
Release stations (version 20.1.6 or earlier) | Not impacted | none |
Release station (Raspberry Pi specific) | Impacted | See Run a PaperCut NG or MF Release Station from a Raspberry Pi for the latest image which includes log4j 2.17.1. |
User clients (all versions) | Not impacted | See FAQ for more info |
Recommendations
Application Server and Site Server Fix
If you are running PaperCut NG or MF version 21.0.0 or later, we highly recommend applying the latest maintenance release (21.2.5).
There have been attacks developed which can circumvent the config change in Option 1, so to close these additional attack vectors we recommend Option 2 - which is that anyone using PaperCut NG/MF 21.x should upgrade to the latest available maintenance release (21.2.5) - through whichever method you normally use to perform upgrades.
We do believe that applying Option 1 (Mitigate via Configuration Change) is the most immediate (but temporary) solution. This fix protects against some cases of exploitation being discussed online. This solution involves a simple configuration change that will effectively mitigate the vulnerability in the affected software, rather than apply a full update to an existing PaperCut NG/MF installation. This change only involves a restart of the application server and minimal impact on the operation of your print solution.
As soon as you are able to - we recommend upgrading to 21.2.5.
Option 1 - Mitigate via Configuration Change
Only use this option if you’re unable to immediately upgrade to 21.2.5.
Windows:
- Stop the PaperCut application server (or Site Server).
- Navigate to the
/server/bin/win
folder. - Open the
service.conf
file in that folder for editing (you will need to open it as Administrator). - Find the line that looks like this:
wrapper.java.additional.21=-Dpc-reserved=X
- Replace it with this:
wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true
- Save the file.
- Start the PaperCut application server (or Site Server).
macOS:
- Stop the PaperCut application server (or Site Server).
- Navigate to the
/server/custom
folder. - Open the
launch-app-server.conf
file for editing. - Add the following line to the end of the file:
PC_CUSTOM_SERVER_ARG=-Dlog4j2.formatMsgNoLookups=true
- Save the file.
- Start the PaperCut application server (or Site Server).
Linux:
- Stop the PaperCut application server.
- Navigate to the
/server/bin/linux-x64
folder (or the linux-i686 or linux-common folder, depending on distro). - Open the
app-monitor.conf
file in that folder for editing. - Find the line that looks like this:
wrapper.java.additional.21=-Dpc-reserved=X
- Replace it with this:
wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true
- Save the file.
- Start the PaperCut application server.
Option 2 - Upgrade to PaperCut NG/MF version 21.2.5
- Upgrade to version 21.2.5 through your usual upgrade procedures, as soon as possible.
Release Station Fix
Option 1 - Mitigate via Configuration Change
Only use this option if you’re unable to immediately upgrade to 21.2.5.
Windows
- For each deployed release station, navigate to the folder containing the release station.
- Open
pc-release.lap
- Add a new line at the end of the file:
-Dlog4j2.formatMsgNoLookups=true
- Save the file.
- Repeat the steps above for each of these files:
pc-pay-station.lap
;pc-release-manager.lap
;pc-release-secure.lap
- Restart the release station
macOS
- For each deployed release station, navigate to the folder containing the release station.
- Open the
pc-release-mac.command
file. - Find the section at the bottom of the file commented with
# Run the program
- After the line
-Djava.locale.providers=COMPAT,SPI \
, insert a new line with:
-Dlog4j2.formatMsgNoLookups=true \
- Save the file.
- Restart the release station.
Linux
- For each deployed release station, navigate to the folder containing the release station.
- Open the
pc-release-linux.sh
file. - Find the section at the bottom of the file commented with
# Run the program
- After the line
-Djava.locale.providers=COMPAT,SPI \
, insert a new line with:
-Dlog4j2.formatMsgNoLookups=true \
- Save the file.
- Repeat the steps above for the
pc-release-cmd-line.sh
file. - Restart the release station.
Option 2 - Upgrade to PaperCut NG/MF version 21.2.5
- Apply the configuration change listed in Option 1 (Release Station fix) above to mitigate the most serious vulnerability.
- Schedule an upgrade to version 21.2.5 through your usual upgrade procedures.
Once you have upgraded to a PaperCut server version containing the patched libraries, delete and redeploy all release stations using the release station package from the server.
FAQs
Q Is there any impact from applying this fix?
No - there is no impact to PaperCut products. All products will continue to work with zero impact.
Q I have applied the 21.2.5 maintenance release, but I don’t see the config changes applied. Am I protected?
Yes - in the above recommendations, you can apply an immediate config change (Option 1) which involves updating config files with the formatMsgNoLookups
string. The preferred method, which is to install 21.2.5, actually includes log4j version 2.17.1 which includes the fix internally, so you will not see the Option 1 config changes after applying the maintenance release. This is expected behavior.
Q I am running the PaperCut User client and see that it’s using log4j 2.x - why does the table above say that the User Client is not impacted?
Good catch! Due to the way our build system works, the User Client actually ships with log4j 1.x and log4j 2.x libraries. The User Client in practice only uses the log4j 1.x libs, so is not impacted by the vulnerability. We do not use the log4j 2.x libs in the User Client - which means it is not vulnerable to attack.
In order to completely remove the log4j 1.x libraries, you’ll need to update to PaperCut NG/MF version 21.2.8.
Q Do I need to upgrade the Payment Gateway module?
- Check the Payment Gateway version that you have installed - head into your Application Server file system:
[MF/NG installation directory]/server/lib-ext
and open the fileext-payment-gateway-version.txt
. - Check the line with
version-build=
-
IF you are using a gateway with a build number 207 or later (but earlier than 219) then you are not at risk from the vulnerability, however versions of log4j 2.x are included (but not used) in this build, since November 2021. To be completely safe (and to avoid vulnerability scanners flagging this impact) we recommend upgrading to the latest version of the Payment Gateway (219), as detailed through Step 2 of the Setting up the Payment Gateway module article. Version 219 removes the unnecessary log4j files from the gateway installation.
-
IF you are using a gateway with a build number lower than 207, then you are not at risk from the vulnerability, and log4j 2.x libraries are not included in the gateway module.
Note*: Version 213 of the Payment Gateway module includes log4j version 2.16. Version 214 of the Payment Gateway module includes log4j version 2.17. Version 219 removes the Payment Gateway installation log4j jar files entirely, and relies on the log4j version installed with the MF/NG Application Server.*
Note*: This is completely independent from the Application Server version - so even if you are running version 21.2.5 (patched) of the App Server, if you are running a Payment Gateway module version between 207 and 214, we recommend applying the Payment Gateway upgrade too. Alternatively if you are using an earlier non-impacted version of the App Server (e.g. version 20.x or earlier) and you are using a Payment Gateway module version between 207 and 214, we also recommend applying the Payment Gateway upgrade but you do not need to upgrade the Application Server.*
Q I see that some PaperCut products use Apache Log4j 1.x, isn’t that also vulnerable to CVE-2021-4104?
No. PaperCut products are not vulnerable to this issue. Version 1.x of Apache Log4j did not include the JNDI lookup functionality that is at the root of Log4Shell. CVE-2021-4104 has been raised to differentiate these issues. The write up by Synk indicates that there is a possibility of a similar style of compromise if the JMSAppender
library is present and an attacker can manipulate the TopicBindingName
or TopicConnectionFactoryBindingName
. PaperCut software does not use JMSAppender
or reference the TopicBindingName
or TopicConnectionFactoryBindingName
. This means there is no known vector to manipulate this vulnerability in PaperCut software. The only other scenario would be if an attacker would have write access to configuration files in order to update the Log4j configuration and this would require an attacker to already be able to access the system.
Note: PaperCut NG/MF version 21.2.8 now completely removes any log4j 1.x dependencies. Please install this latest version if you are concerned about vulnerability scanners flagging the log4j 1.x libraries. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed. e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app
Q Why does my vulnerability scanner show Log4j (e.g. log4j 1.x) as being vulnerable on a version listed as ‘not impacted’ in the table above?
-
PaperCut NG/MF version 21.2.8 completely removes any log4j 1.x dependencies (apart from the legacy Mac client). Please install this latest version if you are concerned about vulnerability scanners flagging the log4j 1.x libraries. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed. e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app
-
PaperCut NG/MF version 22.0.8 completely removes the legacy Mac client so that this removal doesn’t have to be done manually.
Note: If you have a very old installation of PaperCut which has been upgraded and upgraded over the years, it may still have the old ’net’ control module (which allowed you to monitor internet bandwidth). This product was announced end-of-life in 2011, and has no functionality in more recent versions of PaperCut (since 2012). The ’net’ folder can safely be removed (take a server backup just in case). Note that this path is an example and your installation path may differ:
- C:\Program Files\PaperCut MF\providers\net\*
Otherwise, if you are wanting to remove any 1.x log4j files (even if they are not vulnerable) because they are getting picked up by security scanners, you can potentially remove them based on the below. Note that the paths are examples and your installation path may differ.
If you are not using the Ricoh remote operation tools, or Sharp configuration tools (or if you don’t have Ricoh or Sharp devices at all), you can safely remove these files:
-
C:\Program Files\PaperCut MF\providers\hardware\ricoh\sdkj\403046912\log4j-1.2.13.jar
-
C:\Program Files\PaperCut MF\providers\hardware\ricoh\remote-operation-client\lib\log4j-1.2.17.jar
-
C:\Program Files\PaperCut MF\server\deployment\sharp\lib\sharp-configuration-tool-all.jar
-
C:\Program Files\PaperCut MF\providers\hardware\ricoh\sdkj\deprecated\403046656\log4j-1.2.13.jar
If you are not using the macOS User Client Software, you can remove these files:
-
C:\Program Files\PaperCut MF\client\mac\PCClient.app\Contents\Java\log4j-1.2.17.jar
-
C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app\Contents\Resources\Java\log4j-1.2.13.jar
If you are not using the Linux User Client Software, you can remove this file:
- C:\Program Files\PaperCut MF\client\linux\lib\log4j-1.2.17.jar
If you are not using the Windows User Client Software, you can remove this file:
- C:\Program Files\PaperCut MF\client\win\lib\log4j-1.2.17.jar
Please note that the 21.2.8 release of PaperCut MF/NG now removes these dependencies on log4j 1.x, and version 22.0.8 additionally removes the legacy Mac client.
Q Why does my vulnerability scanner show my Payment Gateway install as vulnerable (in the lib-ext folder)?
If you have upgraded the Payment Gateway (see questions above) you may have multiple versions of log4j*.jar files in the [MF or NG install]/server/lib-ext/
directory. If this is the case, you can safely remove the older versions which are no longer needed.
Note that you may need to stop the PaperCut Application Server service to successfully remove the older files.
You can safely delete instances of the log4j .jar files. Alternatively if you install version 219 of the Payment Gateway module on Windows (see the Payment Gateway question above), it will automatically remove the unnecessary jar files. If you’re wanting to remove these manually, these can be safely removed:
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-slf4j-impl-2.16.0.jar
- log4j-api-2.13.3.jar
- log4j-core-2.13.3.jar
- log4j-slf4j-impl-2.13.3.jar
- log4j-api-2.17.0.jar
- log4j-core-2.17.0.jar
- log4j-slf4j-impl-2.17.0.jar
Q I have the latest version of Java - doesn’t that protect me against Log4Shell?
No. There have been examples of executing this under any version of java. The only way to prevent this issue in PaperCut Products is to apply the recommendations outlined in this knowledge base article.
Q Is PaperCut affected by the Log4j 1.2 SocketServer vulnerability (CVE-2019-17571)?
A vulnerability was discovered (originally in 2019) in the SocketServer functionality of Log4j. This has been documented officially on the NIST site here: CVE-2019-17571.
This vulnerability requires the Apache Log4j component to be configured to listen for logging events on a socket. PaperCut Products do not use this feature of Log4j and as such the vulnerability CVE-2019-17571 does not affect PaperCut Products.
Please see our Known Issue PO-693 for more information on this.
Q Is PaperCut affected by CVE-2021-45046?
Yes. We became aware of this issue on the morning of the 15th of December AEST (see here for info: CVE-2021-45046). This new issue is currently only rated moderate severity( CVSS: 3.7 ) and would result in a Denial of Service to the PaperCut MF/NF Application or Site Servers in certain circumstances. Due to the severity of Log4Shell (CVE-2021-44228) we strongly recommend that you do not wait to apply the mitigation for Log4Shell.
Please note: We have addressed this vulnerability in the maintenance release - PaperCut MF/NG version 21.2.3 (which uses log4j 2.16).
Q Is PaperCut affected by CVE-2021-45105?
Yes. This vulnerability has been raised online - see details on CVE-2021-45105. This vulnerability is present in log4j 2.16 (used by PaperCut MF/NG version 21.2.3).
Please note: We have addressed this vulnerability in the maintenance release - PaperCut MF/NG version 21.2.4 (which uses log4j 2.17).
Q What is the difference between the MF/NG versions relating to log4j fixes?
Version | Contents | Log4j version |
PaperCut MF/NG version 21.2.3 | Resolves CVE-2021-44228 and CVE-2021-45046 | log4j 2.16 |
PaperCut MF/NG version 21.2.4 | Resolves CVE-2021-45105 (and the previous two vulnerabilities) | log4j 2.17 |
PaperCut MF/NG version 21.2.5 | Resolves CVE-2021-44832 (and the previous three vulnerabilities) | log4j 2.17.1 |
PaperCut MF/NG version 21.2.6 | Unintentionally includes log4j 2.17.0. We are looking to replace this with a 21.2.7 build asap which will include log4j 2.17.1. See the known issue about this. | log4j 2.17.0 |
PaperCut MF/NG version 21.2.7 | Includes all the fixes in 21.2.6 and corrects the log4j version in use | log4j 2.17.1 |
PaperCut MF/NG version 21.2.8 | Includes all the fixes in 21.2.7 and removes all dependencies on log4j 1.x libraries | log4j 2.17.1 |
PaperCut MF/NG version 21.2.9 and .10 | Includes all the fixes in 21.2.8 and resolves the Spring4Shell vulnerability | log4j 2.17.1 |
Q Are any PaperCut products affected by CVE-2021-44832?
Security researchers have flagged that log4j version 2.17 and earlier can have a remote exploitation vulnerability enabled *if* an attacker is able to edit the log4j config files.
The relevant configuration is not present in any PaperCut products, and an attacker would therefore need file write access (i.e. Administrator level access) to a site’s PaperCut server in order to make the necessary changes and restart the server. As an attacker in this position must already have high level access to the customer environment in order to enable the vulnerability, we consider this a very low risk for PaperCut customers.
Please note: We have addressed this vulnerability in the latest maintenance release - PaperCut MF/NG version 21.2.5 (which uses log4j 2.17.1).
Q Why has the Ricoh SDK/J installer been removed from the PaperCut MF installation?
As per the release note with 21.2.6, we have now removed Ricoh SDK/J v2 (which has been deprecated) from the MF installs on Windows, Linux and macOS [PO-727]. This deprecated (Ricoh deprecated SDK/J a while ago) version was getting flagged by vulnerability scanners, so the client package has now been removed from the server installation. For customers still running SDK/J machines needing the SDK/J package, this can be downloaded here.
Q How is papercut affected by the following security issues that affect log4j 1.x?
The PaperCut MF client does use Log4j 1.x (prior to 21.2.8). Please note that log4j 1.x libraries have now been completely removed with the 21.2.8 maintenance release of PaperCut MF/NG. After upgrading, you will need to manually remove the legacy Mac client since it is not automatically removed, e.g: C:\Program Files\PaperCut MF\client\mac\legacy\PCClient.app.
There are some vulnerabilities that affect Log4j 1.x, explanations on how PaperCut MF is affected by these are in the table below.
CVE | Response |
CVE-2022-23307 | This is related to a component called chainsaw. Chainsaw is program for viewing logs in a graphical user interface. PaperCut MF does not use chainsaw. |
CVE-2022-23302 | This issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. PaperCut MF does not configure Log4j to use JMSSink and is not affected by this issue. |
CVE-2022-23305 | This issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. PaperCut MF does not configure Log4j to use JDBCAppender and is not affected by this issue. |
References
- https://logging.apache.org/log4j/2.x/security.html#
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
- https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2316893
Security Updates
In order to get notifications of security fixes please subscribe to our security notifications list via our sign up form.
Updates
Date | Update/Action |
10th December 2021 15:27 AEDT | Issue reported internally to the security and product team. Initial triage commenced with the intent of providing a known issue posting with mitigation advice. |
10th December 2021 16:47 AEDT | Published Known Issue bulletin for PaperCut NG/MF. |
11th-12th December 2021 | Monitored unfolding updates regarding the issue. |
13th December 2021 19:14 AEDT | Published this KB article for all products. Produced HotFix for PaperCut NG/MF for customers unable to perform the workaround. |
14th December 2021 | Updated information around Release Station and User client status and mitigations. |
14th December 2021 | Added FAQ section with extra information. |
15th December 2021 | Added link to security subscription form. |
15th December 2021 12:00 AEDT | Updated info about CVE-2021–45046 |
15th December 2021 12:25 AEDT | Updated info about available fixes |
15th December 2021 16:01 AEDT | Updated FAQ entry on Log4j 1.x CVE-2021–4104 |
15th December 2021 16:40 AEDT | Updated with the PaperCut MF/NG 21.2.3 maintenance release information (uses log4j 2.16). |
17th December 2021 13:30 AEDT | Updated with the latest Payment Gateway build information |
18th December 2021 18:50 AEDT | Updated to include info about CVE-2021–45105 |
20th December 2021 14:00 AEDT | Updated with latest Payment Gateway module release (version 214) which contains log4j 2.17. |
21st December 2021 11:30 AEDT | Updated with the paperCut MF/NG 21.2.4 maintenance release information (uses log4j 2.17). |
22nd December 2021 12:00 AEDT | Included FAQ about cleaning up older log4j versions from the Payment Gateway installation folder. |
22nd December 2021 18:50 AEDT | Reviewed use of Logback in PaperCut products. Determined that at this point no action is required. |
30th December 2021 07:30 AEDT | Reviewed potential impact of CVE-2021–44832. Determined that at this point no action is required. |
12th January 2022 11:00 AEDT | Added note confirming we hope to have MF/NG builds available by end of Jan at the latest (to include log4j 2.17.1) and by the end of March 2022 (which will also remove any log4j 1.x dependencies). |
27th January 2022 11:00 AEDT | Updated with the PaperCut MF/NG 21.2.5 maintenance release information (uses log4j 2.17.1). |
27th January 2022 18:00 AEDT | Updated with the latest Payment Gateway version 219 information (removes log4j). |
31st January 2022 10:00 AEDT | Updated with information on Log4j 1.x vulnerabilities. |
2nd Feb 2022 12:00 AEDT | Updated to include info on manually removing log4j 1.x files if required / if possible. |
7th Feb 2022 16:00 AEDT | Updated with a note about the Raspberry Pi release station image - which has now been updated to log4j 2.17.1. |
24th Feb 2022 15:00 AEDT | Updated with a note about 21.2.6 unintentionally including log4j 2.17.0, and a reference to the known issue. |
28th Feb 2022 11:00 AEDT | Updated with the PaperCut MF/NG 21.2.7 maintenance release (includes log4j 2.17.1) and closed out the known issue. |
28th Feb 2022 11:00 AEDT | Updated to include a note about the removal of the Ricoh SDK/J install package from the build since 21.2.6. |
24th March 2022 16:00 AEDT | Updated with the PaperCut MF/NG 21.2.8 maintenance release, which removes all log4j 1.x dependencies. |
20 May 2022 14:00 AEDT | Added information about the 21.2.10 build related to the Spring4Shell vulnerability. |
10th Jan 2023 16:00 AEDT | Updated with the PaperCut MF/NG 22.0.8 maintenance release, which automatically removes the Mac legacy client. |
Categories: Troubleshooting Articles , Security and Privacy
Keywords:
Last updated June 13, 2024
Comments