Is PaperCut affected by Apache Log4j vulnerability? (FAQs)

PaperCut NG and MF have a dependency on the open source logging module log4j2.

A vulnerability has recently been discovered in log4j2 that may allow arbitrary code in logged strings to be executed. See here for details: https://www.lunasec.io/docs/blog/log4j-zero-day/. This vulnerability is sometimes called Log4Shell or LogJam, and defined in CVE-2021-44228.

Please note that only versions 21.0 and later are impacted. Versions 20 and earlier are NOT impacted by this.

We will be releasing a Maintenance Release with the patched log4j2 libraries soon, but in the meantime we recommend that customers using 21.0 or later with internet facing PaperCut servers, or customers using 21.0 or later who may be concerned about potential internal attempts to exploit the vulnerability, follow these steps to work around the potential vulnerability.

Please note that these steps should be applied on Application Server (Primary Server) installations and on any Site Server installations. They do not apply to Secondary Server installations.

Windows:

1. Stop the PaperCut application server.

2. Navigate to the /server/bin/win folder.

3. Open the service.conf file in that folder for editing (you will need to open it as Administrator).

4. Find the line that looks like this: wrapper.java.additional.21=-Dpc-reserved=X

5. Replace it with this: wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true

6. Save the file.

7. Restart the app server.

macOS:

1. Stop the applixation server.

2. Navigate to the /server/custom folder.

3. Open the launch-app-server.conf file for editing.

4. Add the following line to the file:

PC_CUSTOM_SERVER_ARG=-Dlog4j2.formatMsgNoLookups=true

5. Save the file.

6. Restart the application server.

Linux:

1. Stop the PaperCut application server.

2. Navigate to the /server/bin/linux-x64 folder (or the linux-i686 or linux-common folder, depending on distro).

3. Open the app-monitor.conf file in that folder for editing.

4. Find the line that looks like this: wrapper.java.additional.21=-Dpc-reserved=X

5. Replace it with this: wrapper.java.additional.21=-Dlog4j2.formatMsgNoLookups=true

6. Save the file.

7. Restart the app server.

 

Link to PaperCut knowledge base article describing more details about how PaperCut is affected.


EDIT - As of Wednesday 15th of December PaperCut has released 21.2.3 with an update to Apache Log4J (2.16) which address CVE-2021–44228 and CVE-2021–45046.