For CVE-2021-4104 log4j v1.X, TRAX does NOT use JMSAppender in accordance with our documented procedures.
To mitigate this vulnerability, avoid using Apache Chainsaw to view logs. Instead, use an alternative utility, especially if there is a log view available within the product itself. Additionally, remove the Chainsaw classes from the Log4j JAR files.
| App/Interface | Name | log4j file name | CVE-2021-44832 | CVE-2021-44228 | CVE-2021-45105 | CVE-2022-23302 | CVE-2022-23305 | Compiled fix available? |
| CVE/CVSS Score: | 6.6 | 10.0 | 5.9 | 6.0 | 6.8 | |||
Interface | WebModule-TraxInterface | log4j-1.3alpha-7.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
Interface | TraxGrails | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
Interface | Inventory | log4j-api-2.13.3.jar log4j-to-slf4j.2.13.3.jar | Impacted | Not Impacted | Not Impacted JDBC Appender not configured. | Pending | ||
Interface | Picklist | log4j-api-2.13.3.jar log4j-to-slf4j.2.13.3.jar | Impacted | Not Impacted | Not Impacted JDBC Appender not configured. | Pending | ||
Interface | ACARS Interface | log4j-api-2.12.1.jar log4j-to-slf4j.2.12.1.jar | Impacted | Not Impacted | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | eMRO | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | TraxPrintServer | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | emroPrintServer | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | ePlanning | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | eMobilityServices | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | IOSMCServices | log4j-1.2.12.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | IOSBusinessEAR | log4j-1.2.12.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | IOSDataSyncEAR | log4j-1.2.12.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | IConnectorEAR | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
WebApplication | eZStockWF | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Pending | ||
>>> Applications compiled and available for download with current log4j distro | ||||||||
Interface | ApuAcarsReading | CrewAssignment | InventoryStock | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Compiled fix available? Yes Available 01/27/2022 | ||
Interface | EmployeeSchedule | log4j-core-2.4.1.jar | Download New Compile from Trax. OR Manual upgrade recommended. For Java 8 apply log4v2.17.1. For Java 7 apply log4v2.12.4 | Not Impacted | Not Impacted JDBC Appender not configured. | Yes | ||
Interface | TraxQRWMS-ServiceMaven | log4j-core-2.7.jar | Download New Compile from Trax. OR Manual upgrade recommended. For Java 8 apply log4v2.17.1. For Java 7 apply log4v2.12.4 | Not Impacted | Not Impacted JDBC Appender not configured. | Yes | ||
WebApplication | TraxDocServices | log4j-core-2.11.1.jar | Download New Compile from Trax. OR Manual upgrade recommended. For Java 8 apply log4v2.17.1. For Java 7 apply log4v2.12.4 | Not Impacted | Not Impacted JDBC Appender not configured. | Yes | ||
WebApplication | CertifyPDF | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | PlanningControl | log4j-1.2.16.jar log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | eTechLogbook | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | LineControl | log4j-1.2.16.jar log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | ProductionControl | log4j-1.2.16.jar log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | ShopControl | log4j-1.2.16.jar log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | CustomerPortal | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | eContentCtl (LeaseReturn) | log4j-1.2.16.jar log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | VisualCheck | log4j-1.2.16.jar log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
WebApplication | AeroDox Export | log4j-1.2.17.jar | Not Impacted No JMSAppender or JMSSink configured by Trax. | Not Impacted JMSSink not set by default | Not Impacted JDBC Appender not configured. | Yes Available 01/27/2022 | ||
| App/Interface | Name | log4j file name | CVE-2021-44832 | CVE-2021-44228 | CVE-2021-45105 | CVE-2022-23302 | CVE-2022-23305 | Compiled fix available? |
| CVE/CVSS Score: | 6.6 | 10.0 | 5.9 | 6.0 | 6.8 | |||
Application | Trax v10 – v15 | log4j-1.2.X.jar Found in the \ocx and \ocx\TraxApacheFOP_lib folder used by TraxDoc for XML/SGML Imports and Work Pack Print of XML/SGML data (Taskcards/IPC/etc) | Not Impacted No JMSAppender configured by Trax. Latest build of Java v8 JRE with updated log4j library has been certified. Edit first line of log4j.properties file to log4j.rootLogger=OFF to disable log4j use and improve WPP Performance. | Not Deployed via WebService or AppServer | Not Impacted JDBC Appender not configured. | Not required. Update to latest Java v8 JRE and disable log4j in log4j.properties file. | ||
| Existence of log4j in the \trax\ocx and other subdirectories are part of the JRE distribution. JRE is used strictly by TraxDoc for the import of XML/SGML OEM Manuals into the Trax Database. The other subdirectory, TraxApacheFOP_lib, is the predecessor for AntennaHouse, replaced by a TranCode/Switch that turns On AntennaHouse. If your organization has not imported/importing manuals and/or printing workpackages that contain imported xml/sgml content, then you can zip up these directories to eliminate log4j entirely. Restricting the existence to only those workstations that perform such imports and printing is another mitigation strategy to limit the presence of this vulnerability on your network. | ||||||||
App/Interface | Name | log4j file name | CVE-2021-44832 | CVE-2021-44228 | CVE-2021-45105 |
| 3rd Party App Server | Wildfly 16.0.0.0 | log4j-jboss-logmanager-1.1.6.Final.jar | |||
| 3rd Party App Server | Wildfly 23.0.2+ None in Prod on TRAXCloud | log4j-core-2.14.0.jar | Manual Upgrade required: Java 8 log4v2.17.1 | ||
| 3rd Party App Server | JasperReports Server 7.5.x, 7.8.x, 7.9.x, 8.0.0 | log4j-1.2.12.jar log4j-core-2.13.3.jar | |||
| 3rd Party Application | Jaspersoft Studio Pro 7.3.x, 7.5.x, 7.8.x, 7.9.x, 8.0.0 | log4j-core-2.8.2.jar log4j-core-2.14.0.jar | |||
Return to Trax’s Log4shell main page Proceed to Apache’s Log4j Security Page
