Appeon is aware of the recently disclosed security vulnerability CVE-2021-44228 relating to the Apache Log4j Java logging framework. The vulnerability makes some protocols unsafe and can allow remote code execution.
Appeon has promptly launched an investigation. This Security Bulletin summarizes the results of our investigation to date and our recommendations for PowerServer customers.
PowerServer versions affected?
PowerServer versions 2019 and 2020 are affected as follows:
- The PowerServer Toolkit bundled in PowerBuilder CloudPro 2017 - 2019 R3 is affected.
- Only the Java server runtime of PowerServer is affected. The .NET server runtime does not use Log4j.
Appeon does not investigate or provide security fixes for EOL versions. If you are using PowerServer 2017 or older, you also may be affected.
Appeon’s investigation results?
- PowerServer Toolkit
The PowerServer Toolkit installation folder contains the “ant” folder in the \Toolkit\Java\Jdk1.8.0_66 directory, and the “ant” folder contains the “ant-apache-log4j.jar” and “ant-apache-log4j.pom” files. The files are from version 1.2.X of Log4j, which is NOT listed as an affected version in CVE-2021-4428 but may contain other security vulnerabilities.
The “ant” folder in the \Toolkit\Java\Jdk1.8.0_66 directory was used in older versions of the PowerServer Toolkit for generating the Android application package (APK). However, the PowerServer packaging tool has been re-designed and no longer uses the “ant” folder to generate the Android APK file in more recent PowerBuilder versions.
- PowerServer, Java server runtime
The PowerServer installation folder contains version 1.2.16 of Log4j, which is NOT listed as an affected version in CVE-2021-4428 but may contain other security vulnerabilities.
After the installation of PowerServer, the \appeon folder contains the “appeonserver.ear” package, and “log4j-1.2.16.jar” is one of the files in this package.
The “appeonserver.ear” package will be deployed to the deployment folder of the Java server. For example, if the Java server is WildFly 12.0.0, the “appeonserver.ear” package will be deployed to the folder \wildfly-12.0.0\standalone\deployments.
The main logging function of PowerServer does not use Log4j; however, some auxiliary logging features use Log4j, such as DBUpgrade.log and AEMLog.log.
What should you do?
Immediately upgrade the PowerServer Toolkit by installing the latest version of PowerBuilder CloudPro as follows:
|PowerBuilder English versions 2019 and older
|2019 MR #2170, 2019 R2, or 2019 R3
|PowerBuilder Japanese versions 2017 R3 and older
|2017 R3 MR #1926 and newer, or 2019 R3
After you have upgraded the PowerServer Toolkit, then delete the “ant” folder in the directory \Toolkit\Java\Jdk1.8.0_66\.
If you cannot upgrade to the versions specified above, immediately delete the “ant-apache-log4j.jar” and “ant-apache-log4j.pom” files from the directory \Toolkit\Java\Jdk1.8.0_66\ant\lib.
Follow your company's security policies and procedures to ensure your IT systems have not been compromised.
Verify that your firewall rules are strong, for example restricting access from unknown locations/networks. If your PowerServer apps do not need to be accessed over the Internet, disable all Internet access to the server.
Open a support ticket to ensure that Appeon can provide you the security fix as soon as possible. When opening the support ticket, please make sure to specify the version and build number of your PowerServer.
The security fix Appeon will provide will require that you are on the latest build of PowerServer 2020 or 2019, as applicable. As such, if you are on an older build, you should immediately begin the upgrade process to the latest build currently available.
If you are using PowerServer 2017 or older, immediately begin the upgrade process to the latest build of PowerServer 2020. Appeon will not be providing security fixes for EOL versions, such as PowerServer 2017.
What Appeon will do?
Appeon plans to remove the \Toolkit\Java\Jdk1.8.0_66\ant folder, or at least the "ant-apache-log4j.jar" and "ant-apache-log4j.pom" files, in all the subsequent PowerServer Toolkit MR releases.
Appeon will issue a maintenance release (MR) as soon as possible that removes Log4j from the latest builds of PowerServer 2020 and 2019. This will result in the auxiliary logging features to be disabled, such as DBUpgrade.log and AEMLog.log; however, the main logging features will still continue to work as before. Appeon made the decision to disable the auxiliary logs because they are rarely used by our customers and this would enable us to deliver the security fix as fast as possible.
If any questions regarding this security bulletin, please open a support ticket on the Appeon Website: /standardsupport/newbug.
Last updated: December 24, 2021