Interfaces running log4j 1.x use the RollingFileAppender by default. If your organization changed the appender to one listed in the CVEs, reverting back to the default will mitigate your vulnerability.

For CVE-2021-4104 log4j v1.X, TRAX does NOT use JMSAppender in accordance with our documented procedures.

To mitigate this vulnerability, avoid using Apache Chainsaw to view logs. Instead, use an alternative utility, especially if there is a log view available within the product itself. Additionally, remove the Chainsaw classes from the Log4j JAR files.

>>> Applications pending to be compiled with the latest log4j distro

App/Interface Name log4j file name CVE-2021-44832 CVE-2021-44228 CVE-2021-45105 CVE-2022-23302 CVE-2022-23305 Compiled fix available?
CVE/CVSS Score: 
6.6 10.0 5.9 6.0 6.8  
 

Interface

WebModule-TraxInterface

log4j-1.3alpha-7.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending


Interface

TraxGrails

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending


Interface

Inventory

log4j-api-2.13.3.jar

log4j-to-slf4j.2.13.3.jar

Impacted

Impacted

Not Impacted

Not Impacted

Not Impacted JDBC Appender not configured.

Pending

Interface

Picklist

log4j-api-2.13.3.jar

log4j-to-slf4j.2.13.3.jar

Impacted

Impacted

Not Impacted

Not Impacted

Not Impacted JDBC Appender not configured.

Pending

Interface

ACARS Interface

log4j-api-2.12.1.jar

log4j-to-slf4j.2.12.1.jar

 Impacted

Impacted

Impacted

Not Impacted

Not Impacted JDBC Appender not configured.

Pending

WebApplication

eMRO

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

TraxPrintServer

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

emroPrintServer

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

ePlanning

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

eMobilityServices

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

IOSMCServices

log4j-1.2.12.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

IOSBusinessEAR

log4j-1.2.12.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

IOSDataSyncEAR

log4j-1.2.12.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

IConnectorEAR

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending

WebApplication

eZStockWF

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Pending


>>> Applications compiled and available for download with current log4j distro

Interface

ApuAcarsReading | CrewAssignment | InventoryStock

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Compiled fix available?

Yes Available  01/27/2022


Interface

EmployeeSchedule

log4j-core-2.4.1.jar

Download New Compile from Trax.

OR Manual upgrade recommended. For Java 8 apply log4v2.17.1. For Java 7 apply log4v2.12.4

Not Impacted

Not Impacted JDBC Appender not configured.

Yes


Interface

TraxQRWMS-ServiceMaven

log4j-core-2.7.jar

Download New Compile from Trax.

OR Manual upgrade recommended. For Java 8 apply log4v2.17.1. For Java 7 apply log4v2.12.4

Not Impacted

Not Impacted JDBC Appender not configured.

Yes


WebApplication

TraxDocServices

log4j-core-2.11.1.jar

Download New Compile from Trax.

OR Manual upgrade recommended. For Java 8 apply log4v2.17.1. For Java 7 apply log4v2.12.4

Not Impacted

Not Impacted JDBC Appender not configured.

Yes

WebApplication

CertifyPDF

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022

WebApplication

PlanningControl

log4j-1.2.16.jar 

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022

WebApplication

eTechLogbook

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022

WebApplication

LineControl

log4j-1.2.16.jar

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022


WebApplication

ProductionControl

log4j-1.2.16.jar

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022

WebApplication

ShopControl

log4j-1.2.16.jar

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022

WebApplication

CustomerPortal

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022

WebApplication

eContentCtl

(LeaseReturn)

log4j-1.2.16.jar

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022

WebApplication

VisualCheck

log4j-1.2.16.jar

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022

WebApplication

AeroDox Export

log4j-1.2.17.jar

Not Impacted

No JMSAppender or JMSSink configured by Trax.

Not Impacted

JMSSink not set by default

Not Impacted JDBC Appender not configured.

Yes Available  01/27/2022


>>> Applications NOT to be compiled, not affected by any CVEs...

App/Interface Name log4j file name CVE-2021-44832 CVE-2021-44228 CVE-2021-45105 CVE-2022-23302 CVE-2022-23305 Compiled fix available?
CVE/CVSS Score: 
6.6 10.0 5.9 6.0 6.8  
 

Application

Trax v10 - v15

log4j-1.2.X.jar

Found in the \ocx and \ocx\TraxApacheFOP_lib folder used by TraxDoc for XML/SGML Imports and Work Pack Print of XML/SGML data (Taskcards/IPC/etc)

Not Impacted

No JMSAppender configured by Trax.

Latest build of Java v8 JRE with updated log4j library has been certified. Edit first line of log4j.properties file to log4j.rootLogger=OFF to disable log4j use and improve WPP Performance.

Not Deployed via WebService or AppServer

Not Impacted JDBC Appender not configured.

Not required. Update to latest Java v8 JRE and disable log4j in log4j.properties file.

Existence of log4j in the \trax\ocx and other subdirectories are part of the JRE distribution. JRE is used strictly by TraxDoc for the import of XML/SGML OEM Manuals into the Trax Database. The other subdirectory, TraxApacheFOP_lib, is the predecessor for AntennaHouse, replaced by a TranCode/Switch that turns On AntennaHouse. If your organization has not imported/importing manuals and/or printing workpackages that contain imported xml/sgml content, then you can zip up these directories to eliminate log4j entirely. Restricting the existence to only those workstations that perform such imports and printing is another mitigation strategy to limit the presence of this vulnerability on your network.


>>> Third Party software that may require log4j mitigation

App/Interface

Name

log4j file name

CVE-2021-44832

CVE-2021-44228

CVE-2021-45105

 3rd Party App Server Wildfly 16.0.0.0 log4j-jboss-logmanager-1.1.6.Final.jar

Affected. Follow vendor Instructions

 3rd Party App Server Wildfly 23.0.2+
None in Prod on TRAXCloud
log4j-core-2.14.0.jar

Manual Upgrade required: Java 8 log4v2.17.1
                                           Java 7 log4v2.12.4

 3rd Party App Server JasperReports Server 7.5.x, 7.8.x, 7.9.x, 8.0.0

log4j-1.2.12.jar

log4j-core-2.13.3.jar

Affected. Follow vendor Instructions

 3rd Party Application Jaspersoft Studio Pro 7.3.x, 7.5.x, 7.8.x, 7.9.x, 8.0.0 log4j-core-2.8.2.jar
log4j-core-2.14.0.jar

Affected. Follow vendor Instructions

 

 

 

 

 

 

 

 

 

 

 

 

 

Return to Trax's Log4shell main page                          Proceed to Apache's Log4j Security Page

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO