Overview
You want to know if Kerio Connect or other GFI products use Apache Log4j2 since you are trying to assess if you will be impacted by Vulnerability CVE-2021-44228 which has recently been identified (Dec 2021). If yes, you wish to know how you can mitigate the impact.
Solution
Currently for GFI Kerio Connect, instant messaging/chat uses log4j2.5.
Vulnerability CVE-2021-44228 has been fixed in Version 9.3.1 patch 2, which was released on December 20, 2021. Please upgrade to the latest version.
After applying the 9.3.1. Patch 2, you will need to repair your installation by performing the following steps to fix services and other issues as described in XMPP Service and Fulltext Errors After Upgrade to 9.3.1 patch 2 (6097):
- Download the Kerio Connect installer package from our portal:
- Go to http://download.kerio.com/archive/
- Select Kerio Connect and 9.3.1 Patch 2.
- Click on Show Files.
- Download the Kerio Connect installer package for your OS (eg Windows 64 bit).
- Run the installer file with administrative rights.
- Choose the Repair option.
- Select the option to retain older configurations.
After applying the above steps, your Kerio Connect will run all services correctly.
Note: we will also be releasing an additional hotfix for permanent protection against the log4j vulnerability with an upgrade to Apache log4j2 library version 2.17. For updates please refer to the Official GFI Release page.
If for some reason, upgrading to version 9.3.1 patch 2 is not possible (though it's highly recommended), immediate mitigation could be achieved by disabling Chat by going to your Kerio Connect Webadmin Console > Configuration > Domains > Double-click on your domain > Under General tab, towards the bottom Uncheck "Enable chat in Kerio Connect Client". Please note that you need to repeat those steps for all your domains on Kerio Connect. You can refer to this article for more information Enabling Chat in Kerio Connect.
Additionally, you can also follow the process mentioned below:
- Remove JndiLookup.class from java package (Stop Kerio Connect):
zip -q -d path_to_connect/javaservices/im/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
It is used to process jndi URLs in the logging messages (the way how the vulnerability works), removing this JndiLookup.class will not affect the functionality.
Please also note the following information regarding other GFI products which suggests whether this vulnerability affects them:
- GFI Mail Essentials - not affected (not using log4j)
- GFI Archiver - not affected (not using log4j)
- GFI FaxMaker - not affected (not using log4j)
- GFI LanGuard - not affected (not using log4j)
- GFI Helpdesk - not affected (not using log4j)
- GFI Kerio Control - not affected (not using log4j)