Output Transformation Server - Log4J Vulnerability
Output Transformation Server, Embedded Output Transformation Engine, Output Transformation for ApplicationXtender, Output Transformation for InfoArchive, and Output Transformation for Documentum - Log4j Vulnerability
Applies to
Embedded Output Transformation Engine 20.4, 21.2, 21.4
Output Transformation for ApplicationXtender 21.4
Output Transformation for InfoArchive 20.4, 21.2, 21.4
Output Transformation Server 20.4, 21.2, 21.4
Summary
The Log4j third-party component used by Output Transformation Server, Embedded Output Transformation Engine, Output Transformation for ApplicationXtender, Output Transformation for InfoArchive, and Output Transformation for Documentum to keep a record of activity within the application is affected by the Critical RCE Vulnerability: log4j - CVE-2021-44228.
A threat actor could potentially exploit this vulnerability to remotely execute unauthorized code on systems running Output Transformation Server, Embedded Output Transformation Engine, Output Transformation for ApplicationXtender, Output Transformation for InfoArchive, and Output Transformation for Documentum.
Resolution
Previously, the recommended mitigation steps for the Output Transformation Server products involved only setting a Java command line system property that disabled the exploitable features in log4j 2.13 - 2.15. Unfortunately, after further analysis, the Apache Foundation (authors of log4j) determined that this approach was insufficient and exploitable risks still remained in the software.
There are now only two recommended options:
Modify the existing log4j-core-2.13.3.jar file in your currently deployed OTS/OTE product to remove the exploitable .class file.
Upgrade OTS/OTE 20.4, 21.2, and 21.4 versions to the latest patch versions at MySupport
More information on each option can be found below.
Option 1: Modifying the existing log4j-core-2.13.3.jar
For most users who are looking for an immediate solution to protect their existing production systems, this option is quick, effective, and low risk. The exploitable code inside log4j 2.x is isolated in a single .class file related to JNDI features. None of the Output Transformation Server products make use of the JNDI features and this class file can safely be removed from the log4j JAR file without affecting the functionality of OTS/OTE.
Locating the JAR file(s)
It is recommended that users search the filesystem tree of their OTS/OTE installation to locate all potential copies of the log4j-core-2.13.3.jar files. The most common location of this jar for OTS installs (including Output Transformation for ApplicationXtender is: <OTS_HOME>/install/<version>/lib/common/log4j-core-2.13.3.jar
For Embedded Output Transformation Engine (EOTE) users, the location is: <EOTE_HOME>/engine/<version>/lib/ForDataT/ log4j-core-2.13.3.jar
However, many EOTE users repackage the EOTE jar files into their own business applications. In this case, the jar file(s) should be located by the administrators responsible for that application. For users of Output Transformation for InfoArchive, the install procedure would have involved unpacking the OutputTransformation-for-InfoArchive-<version>.zip / .tar.gz file into an existing InfoArchive install directory. In this case, users should find the jar file here:<IA_HOME>/lib/iaserver/external/log4j-core-2.13.3.jar
For users of Output Transformation for Documentum, the location is: <OT_FOR_DM_HOME>/lib/ote-lib/log4j-core-2.13.3.jar. Users may also have embedded Output Transformation for Documentum libraries into their own application for API use. In this case, the jar file(s) should be located by the administrators responsible for that application.
Updating the JAR file
All Java JAR files utilize the standard ZIP file format. This means they can be easily modified by common tools like WinRAR, WinZip, 7-Zip, and others. Using a tool of choice, locate and delete this file inside log4j-core-2.13.3.jar: /org/apache/logging/log4j/core/lookup/JndiLookup.class.
Save the file and replace the old JAR file(s) with this version, keeping the filename the same.
OTS WebSphere Users
Users who deploy OTS to WebSphere will need to repackage and redeploy the WAS EAR file that contains the updated log4j-core-2.13.3.jar file. Refer to the Performing Manual Deployments on WebSphere section of the OpenText Output Transformation Server: User Guide for more information.
Option 2: Upgrading to a remediated version of Output Transformation Server
The impacted versions of Output Transformation Server products are 20.4, 21.2, and 21.4. Updated software builds of OTS for these versions that contain log4j 2.17 are now available at MySupport. Users are recommended to download and deploy the patches as soon as possible.
Here are the direct links to the three remediated builds:
version 21.4.06: https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=79487402
version 21.2.22: https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=79486970
version 20.4.29: https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=79487182
Installing the new build
The standard upgrade procedures should be followed for the customer-specific deployment of OTS. For a typical Output Transformation Server installation (including users of Output Transformation for ApplicationXtender) it is recommended to apply the patch for that version onto an existing installation.
More information can be found in the Upgrading to a Newer Version of Output Transformation Server section of the OpenText Output Transformation Server: Installation Guide.
After completing the patch installation procedure by running the CheckForPatches.bat / .sh script and editing the setenv.bat / .sh (Apache Tomcat users) to use the updated patch version, users will still have the log4j-core-2.13.3 libraries from their previous installation on the filesystem.
These jars will no longer be used, however, they can be removed manually as an extra precaution. They can be found in the <OTS_HOME>/install/<previous_version>/lib/common/log4j-core-2.13.3.jar
Note that the OTS patching architecture supports the ability to revert and run a previous patch version. If the log4j-core-2.13.3.jar jars are removed from a previous install version then that version will no longer be usable. This should be acceptable, as users will likely not want to redeploy the vulnerable version.
Other Users
Users of Embedded Output Transformation Engine, Output Transformation for InfoArchive, or Output Transformation for Documentum should download the corresponding software package in the subproducts section of the patch (see above links). Users of these products should replace their existing deployed libraries with the updated ones found in these packages.
Additional Information
All 16.x versions are not affected by these vulnerabilities because they use the older log4j 1.x versions.
However, 16.x versions are potentially impacted by this vulnerability: log4j - CVE-2021-4104. Output Transformation Server 16.x does not configure or utilize the JMS Appender feature of log4j 1.2.x and therefore is not vulnerable to the CVE-2021-4104 attack in a default configuration.
It remains technically possible that users of Output Transformation 16.x products could have intentionally modified the default log4j configuration within the product to enable JMS support. In the unlikely event that this has happened, these users are recommended to disable JMS Appender by reverting their changes to the log4j configuration.
In addition, all users of Output Transformation Server 16.x are encouraged to plan an upgrade to 21.4.06+ to ensure they have the most up-to-date software.
CASO Knowledge Base