webPDF 8 security update rev. 2372 for the log4j vulnerability CVE-2021-44228

This update contains security fixes for the vulnerability CVE-2021-44228 in the third-party library log4j.

Current status for webPDF:

• webPDF 7 uses log4j version 1 and is not affected.
• webPDF 8 uses log4j version 2 and is affected.

Possible ways to address the issue in webPDF 8:

1. Ensure the system has no external internet connectivity for potentially malicious requests.
2. From log4j 2.10 onward, set log4j2.formatMsgNoLookups=true.
3. Install log4j version >= 2.15, where the vulnerable behavior is disabled by default.
4. Emergency measure (if none of the above is possible): remove class JndiLookup from log4j-core*.jar.

Example:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Regarding option 2, the following applies in webPDF:

• Up to revision < 1705, log4j 2.9.1 is used, so an update is required and the parameter cannot be used.
• From revision 1705 onward, log4j 2.11.1 (or newer) is used, so the parameter can be applied.

The previous current revision r2238 used log4j 2.14.1, where this parameter can also be set.

On Windows, add the parameter in webPDF.vmoptions or webPDF.service.vmoptions:

-Dlog4j2.formatMsgNoLookups=true

On Linux, add it to webpdf.service (ExecStart=) or webpdf.sh (javaOpt=).

Update package​

An update of webPDF 8 to log4j 2.15 is available with revision 2372:

• Download page
• Linux packages

If you have any questions or need technical support, please contact us.

Your SoftVision team