Statement regarding the security vulnerability in log4j
On December 10,
NIST disclosed a vulnerability CVE-2021-44228, with regards to log4j package version 2.0-beta9 through 2.14.1. In response, we investigated the usage of log4j in CM WebClient and we determine that
WebClient does not use a log4j version that is affected by this vulnerability. Since the version used does not offer a JNDI look-up mechanism at the message level, it does not suffer from CVE-2021-44228. However, out of an abundance of caution, we will be making available a patched distribution of WebClient that includes log4j version 2.16. As always, the security of WebClient software is a high priority to us and we will continue to monitor the public CVE for any ongoing cybersecurity vulnerabilities.
The following is the result of the vulnerability scan that we have performed on WebClient version 1.8.8-pre13079.
We have scanned for vulnerabilities using the most current OWASP dependency check in the log4j version that is used in WebClient. We found two vulnerabilities that do not affect WebClient as WebClient does not use SockerServer and SMTP/SMTPS.
1. CVE-2019-17571
CWE-502 Deserialization of Untrusted Data
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
2. CVE-2020-9488
CWE-295 Improper Certificate Validation
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
Please contact us at support if you have any questions about this statement.
Related Articles
Patch Build to CM WebClient 1.8.8
Latest Version: Date 02/19/2024 WebClient-1.8.9-pre13548 NOTE : If the hightail link doesn't open correctly the first time, please just reload the screen, we recommend using the Chrome browser to open it. Current GA Release CM WebClient 1.8.8 ...
CM WebClient for CM M3
Pre-requisites CA Plex dispatcher – The System i TCP/IP Dispatcher is required when the transformed applications call external iSeries objects (RPG, CL programs) Properties Configuration m3startup.properties This is the file were the AS400 ...
CM WebClient File Upload Setup
File Upload This guide will show you how to upload files to your Web Server from your WebClient application. 1. Import the attached zip Java Project into your Eclipse Workspace. 2. Right click your Java Project, and select Properties. Under “Java ...
Download CM WebClient 1.8.8
This article contains information on the latest public release of CM WebClient, updated 08/03/2023. WebClient 1.8 group model(WEBCLI60) and advanced control group model(WebClientControls6.0) are available for Plex 6.0 or greater. If prompted to ...
CM WebClient 1.8.8 Release Notes
Download current GA Release : Download CM WebClient 1.8.8 WebClient Mobile Updates To see the latest updates of WebClient Mobile, please visit: WebClient Mobile repository. What's New? Support Java 11 Complete functionality of DojoTimePicker.ctrl to ...