Initial publication date: 14 Dec 2021; Revised: 07 Jan 2022
7 January 2022 update
We are happy to announce that all affected Typefi workflow plugins have been updated to Log4j 2.17.0 to address several recently disclosed security vulnerabilities (Log4j Vulnerable To Remote Code Execution: CVE-2021-44228, and Log4j Vulnerable to Denial of Service Attack: CVE-2021-45046, and Log4j2 does not always protect from infinite recursion in lookup evaluation: CVE-2021-45105).
Updated plugins are now available for download for Typefi Workgroup and Typefi Desktop customers and will be deployed for Typefi Cloud servers momentarily.
- server-plugin-ant v9.0.101 (ANT processor)
- server-plugin-daisy v4.0.130 (DAISY exporter)
- server-plugin-docx v19.0.605 (Microsoft Word processor)
- server-plugin-epub v10.0.139 (EPUB exporter)
- server-plugin-html v4.0.67 (HTML exporter)
- server-plugin-id v35.0.903 (Adobe InDesign/InDesign Server)
- server-plugin-xsl v19.0.252 (Saxon XSL processor)
14 December 2021
Typefi is aware of the recently disclosed security advisories concerning the open-source Apache Log4j utility (Log4j Vulnerable To Remote Code Execution: CVE-2021-44228, and Log4j Vulnerable to Denial of Service Attack: CVE-2021-45046, and Log4j2 does not always protect from infinite recursion in lookup evaluation: CVE-2021-45105). The Typefi engineering teams continue to investigate how these exploits may affect our customers. Our preliminary findings indicate that Typefi Cloud, Typefi Workgroup, and Typefi Desktop are not directly affected by these exploits. While several common Typefi workflow plug-ins include a vulnerable Log4j component, they can only be exploited by a trusted party (post-authentication). For that reason, Typefi rates the severity level as medium.
Are Typefi Cloud servers affected?
Unlikely. Typefi Cloud (including Standards Cloud) does NOT include Log4j in its managed runtime of Tomcat. While several common Typefi workflow plug-ins (see below) DO include a vulnerable Log4j component, successful exploitation of the vulnerable Log4j component requires prior authentication. For that reason, Typefi rates the severity level as medium.
Are my on-premises Workgroup or Desktop servers affected?
Unlikely. Typefi Workgroup and Typefi Desktop do NOT include Log4j in their managed runtimes of Tomcat. While several common Typefi workflow plug-ins (see below) DO include a vulnerable Log4j component, successful exploitation requires both prior authorization and the attacker must reside on or have internal access to the same local network as the targeted system. For that reason, Typefi rates the severity level as medium.
Are other Typefi applications or services affected?
No. Typefi Blinkenlights (load balancing and queuing for InDesign Server) is NOT affected as it is built on Node.js and does NOT use Log4j. Typefi Writer, Typefi Designer, Typefi AutoFit, and Typefitter are similarly NOT affected as they are not Java applications. Other applications, including our licensing server along with various other internal tools and services, which may be built on Java, have been reviewed and do NOT include Log4j.
Which Typefi workflow plug-ins are affected?
While exploitation of the vulnerable Log4j component requires prior authentication, Typefi is expediting patching efforts of the affected workflow plug-ins to incorporate updated versions of Log4j to eliminate any final concerns. Known Typefi workflow plug-ins that include vulnerable versions of Log4j are:
- Log4j 1.2.13
- server-plugin-ant (ANT processor), released 19 Oct 2020
- Log4j 2.2
- server-plugin-daisy (DAISY exporter), released 8 Jun 2021
- server-plugin-dita (DITA processor), released 1 Apr 2016
- server-plugin-docbook (Docbook processor), released 1 Apr 2016
- server-plugin-docx (Microsoft Word processor), released 1 Jul 2021
- server-plugin-epub (EPUB exporter), released 19 Feb 2019
- server-plugin-html (HTML exporter), released 15 May 2017
- server-plugin-id (Adobe InDesign/InDesign Server), released 16 Sep 2021
- server-plugin-xsl (Saxon XSL processor), released 22 Feb 2021
Note: While unreleased versions of both server-plugin-dita and server-plugin-docbook included a vulnerable versions of Log4j, the released versions of these two workflow plugins did not.
What is Typefi doing to address this?
In our investigations so far, we have not found any evidence that any of our products or solutions are directly impacted by or vulnerable to CVE-2021-44228 or CVE-2021-45046 or CVE-2021-45105. However, as noted above, we are expediting patching efforts of the affected Typefi workflow plug-ins to incorporate an updated version of Log4j to eliminate any final concern.
What actions should I take?
We recommend following best practices of using strong and unique passwords, securing connections to Typefi Server via Proxy/Reverse Proxy when Typefi Server is public-facing, and updating your Typefi software regularly.