Log4J vulnerability

On December 9, 2021, a Remote Code Execution (RCE) vulnerability was discovered in the Java logging library Log4j, identified as CVE-2021-44228. The vulnerability is triggered when Java-based applications log a specially crafted exploit string, which can then execute a remote payload. This leaves any server hosting an unpatched Java application vulnerable to exploitation.

On December 10, 2021, Axon identified that a service dependency used by Axon Interview for streaming services (Wowza) included a vulnerable version of the Log4j library. This applies to all Axon Interview versions between 4.5.2 and 4.7.9.2. (Note: The affected version range was updated—v4.3.0 is not affected.) Axon worked with Wowza to create a batch file that updates the affected Wowza components to mitigate the vulnerability.

Axon recommends downloading the updatelog4j.bat-v1.3 batch file using the link provided below, and running the file through PowerShell (in admin mode), as shown in the image below. This update should be applied to all servers running Axon Interview versions between 4.5.2 and 4.7.9.2. The batch file will perform prerequisite checks and replace any vulnerable Log4j files as needed. At this time, Axon does not anticipate recommending additional actions.

Important: If you downloaded the batch file before January 12, 2022, you must download and apply the updated updatelog4j.bat-v1.3 version.

Note: You will not be able to use Axon Interview during the update process. All in-progress sessions will be stopped. Ensure there are no ongoing sessions before running the batch file. The batch file will stop the Axon Interview service during the update and restart it once complete.

As an alternative, you may also run the batch file with administrator permissions on all servers.

Download: updatelog4j.bat-v1.3 batch file (link to be inserted)

For additional information, see the Axon Security Advisory: Axon Interview – Wowza Components – AXON-2101.

To verify that the patch was successfully applied, navigate to:

Program Files (x86) > Wowza Media Systems > Wowza Streaming Engine > lib

Check for the presence of the following files:

  • log4j-api-2.17.1.jar
  • log4j-core-2.17.1.jar

If you have any questions or concerns, contact your Axon representative or Axon Technical Support.