Important information: BSI reports critical vulnerability CVE-2021-44228 in the Java library Log4j – X4 BPMS is not affected

Log4j vulnerability (CVE-2021-44228)

This concerns a critical security vulnerability in the Log4j logging library up to and including version 2.14. Additional information can be found at the BSI (Federal Office for Information Security).

Below you will find a description of the vulnerability tests performed.

Further information on vulnerability tests conducted by Softproject

Possible reports during vulnerability tests

Security scanners may incorrectly identify the class de.softproject.integration.util.JNDILookup.class in the X4-Client.jar file as a vulnerability. This class is unrelated to Log4j. If you receive this message, you can ignore it.

The Local-Log4j vulnerability scanner is incorrectly detecting the class JNDIManager from the package narayana-jts-idlj and is issuing a corresponding message. This class is not related to Log4j. If you receive this message, you can ignore it.

Information about WildFly

WildFly is not affected. Their official communication is available on their website.

WildFly/JBoss uses the Log4j API, but includes its own implementation based on Log4j 1.x (Log4j-JBoss-logmanager-1.x.x.Final.jar). Therefore, the affected Log4j2 core implementation is not used.

Tests conducted by SoftProject

We investigated whether the X4 BPMS is affected by the critical security vulnerability. Our investigation concluded that the X4 BPMS is not affected.

TestResult
Search for the class org.apache.logging.Log4j.core.net.JndiManager.class for Log4j version 2.x in our installations.No matches found for this class in the entire WildFly environment.
Check if Log4j version 1 is present (due to information from the German Federal Office for Information Security (BSI)). Search for the class org.apache.Log4j.Appender for Log4j version 1.x in our installations.No standard Log4j 1 is present. Only the JBoss implementation was found. This is not affected.
Check if Log4j version 2 is present. Search for the class org.apache.logging.Log4j.core.Appender for Log4j version 2.x in our installations.No matches found for this class in the entire WildFly environment.
Run the local-Log4j-vulnerability scanner.
The Local-Log4j vulnerability scanner is incorrectly detecting the class “JNDIManager” from the package “narayana-jts-idlj” and issuing a corresponding message. This class is not related to Log4j. If you receive this message, you can ignore it.		No matches for this class were found in the entire WildFly distribution.

On December 9, 2021, a vulnerability in Apache log4j 2 (RCE) was discovered. A proof-of-concept (PoC) code was published, and subsequent investigation revealed that exploiting the vulnerability was straightforward. By sending a specially crafted request to a vulnerable system, an attacker could, depending on the system’s configuration, instruct that system to download and then execute a malicious payload.

The BSI assesses the threat situation as extremely critical.

The vulnerability affects log4j versions 2.0 through 2.14.1. Our tests have shown that X4 Suite versions 5.5, 5.8, and 6.x, as well as X4 BPMS versions 7.x and related solutions (e.g., X4 BiPRO Server), are not affected. The Wildfly Application Server supplied by SoftProject is also unaffected, as it uses a log4j implementation that does not contain the vulnerability. We will gladly provide information on older versions of the X4 Suite upon request. Keycloak versions 7.x and later are also unaffected.

We still recommend setting the option “log4j2.formatMsgNoLookups” to “true” by starting the Java Virtual Machine with the argument “–Dlog4j2.formatMsgNoLookups=True”. This prevents the vulnerability from being exploited if newer log4j versions are added later.

From version 6.x onwards, we also provide an X4 adapter upon request, which you as a customer can use to check your installation of the X4 Suite or X4 BPMS yourself.

Furthermore, for on-premises solutions, we recommend examining all surrounding systems, such as on-site web servers or proxy servers, for the aforementioned vulnerability.

For customers using our Software as a Service (SaaS), there is no immediate threat. The services remain fully available. Further security measures will be implemented during a short maintenance window. We will notify you separately about this.

If you require support for on-premises systems, please contact our support team at support@softproject.de or at +49 7243 56175-333.

Further information can also be found at the Federal Office for Information Security.

Share:
Contact the marketing team

Discover smarter ways to optimize your workflows – our marketing team will guide you on the path to sustainable growth and long-term added value.

Contact
Related posts
Blue Processor with orange AI label
Data Governance as the Foundation for AI 

Why trusted data decides whether AI creates value or risk Artificial Intelligence is rapidly becoming a core component of enterprise strategy. Organizations invest in AI

Data Governance as a Business Capability – Not an IT Side Project
Data Governance as a Business Capability – Not an IT Side Project

Why governed data is essential for scalable AI, compliant automation, and confident decision‑making Data Governance Is No Longer Just an IT Topic Many organizations still

Integration: Why Traditional Interfaces Are Holding Back Your Digital Transformation

And how a modern Enterprise Service Bus reduces Enterprise Service Bus , cuts costs, and enables growth In many companies, digital transformation fails not because