webPDF 8 security update rev. 2372 for the log4j vulnerability CVE-2021-44228

Minimum technical requirements

  • Java version: 11
  • webPDF version: 8 (revision 2372)

This current update contains security updates and fixes for the server regarding the security vulnerability CVE-2021-44228 in the third-party library log4j found on 9 December 2021, we would like to inform you as follows regarding webPDF:

  • webPDF 7 uses the above library in version 1 and is therefore not affected.
  • webPDF 8 uses the above library in version 2 and is therefore affected.

From the above description there are several possibilities to fix the problem in webPDF 8:

1. The computer has no external connection to the internet to execute malicious requests.

2. Since Log4j version 2.10 there is the parameter log4j2.formatMsgNoLookups with the value true to disable this function (see also above link to CVE-2021-44228).

3. Install log4j version >= 2.15, as this version closes the vulnerability by disabling the problematic feature by default.

4. As an emergency measure (if none of the other measures are applicable) remove the class JndiLookup from the Classpath, i. e. from the JAR file log4j-core*.jar.
(Example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Regarding point 2) the following versions are to be considered with webPDF:

  • Up to revision < 1705 the log4j version 2.9.1 is used, i. e. here an update of webPDF is urgently necessary and the parameter cannot be used.
  • From revision 1705 on the version 2.11.1 (and newer) of log4j is used, i. e. from here on the parameter log4j2.formatMsgNoLookups can be used.

The current revision r2238 of webPDF uses log4j 2.14.1, where the parameter can also be used.

Enter parameter: The parameter log4j2.formatMsgNoLookups can be entered into webPDF.vmoptions bzw. webPDF.service.vmoptions on Windows.
-Dlog4j2.formatMsgNoLookups=true
Under Linux, the parameter can be added to the file webpdf.service (under ExecStart=) or webpdf.sh (under javaOpt=).

To point 3):

An update from webPDF 8 to log4j 2.15 is available on the download page https://download.softvision.de/?product=webpdf with revision 2372. The packages at https://packages.softvision.de/ have also been updated accordingly.

You can find the update as usual on our download page. For Linux, the package is available via our public repository under Linux packages.

If you have any questions or problems, we will be happy to help you. Please, contact our support.

Your SoftVision team