URGENT BULLETIN

URGENT BULLETIN - IFS Advisory:  IFS Products, Services and Log4j - ​CVE-2021-44228

  • 13 December 2021
  • 74 replies
  • 19609 views


Show first post
This topic has been closed for comments

74 replies

Badge

Assuming the fix is a delivery to us, do we need to have all our other deliveries installed into our PROD environment before we can install this new delivery?  Or are you able to pull that first delivery back in order to deliver this critical fix? 

Userlevel 7
Badge +17

It took some time for me to figure - The Impact KBA can be accessed by clicking a link in one of the updates at the top of this bulletin - 

Thank you IFS for providing these timely updates. 

Thank you! Yes that is the link :smiley:

Userlevel 3
Badge +8

Along with FSM,  is the FSM mobile app (android) also unaffected?

Userlevel 7
Badge +17

Along with FSM,  is the FSM mobile app (android) also unaffected?

That is correct 

Userlevel 7
Badge +17

Update (15th December 2021 13:05 UTC)

Userlevel 3
Badge +7

@Phil Lamerton

 

Hi Phil, will that knowledge article will updated the soon, when fix available for IFS 10 and IFS cloud (On Premise)

 

Thank you for providing these  updates. 

 

kr

Amila

Userlevel 7
Badge +17

@Phil Lamerton

 

Hi Phil, will that knowledge article will updated the soon, when fix available for IFS 10 and IFS cloud (On Premise)

 

Thank you for providing these  updates. 

 

kr

Amila

Hi Amila

The KBA will be updated the minute I have further information, I cannot give you an answer right now but further updates are being put together.

Thanks

Phil

Userlevel 1
Badge +3

Hi, What is ESM assystIPaaS mitigation? Thanks James

Userlevel 7
Badge +17

Update (15th December 2021 15:30 UTC)

 

Userlevel 7
Badge +17

Update (15th December 2021 16:00 UTC)

Userlevel 7
Badge +17

Update (15th December 2021 19:30 UTC)

Userlevel 4
Badge +9

Something i didn’t see written anywhere yet; will the Fix be delivered automatically to the client (via SFTP), or does each client need to reach out to their contact persons / create a LCS request?

Userlevel 7
Badge +17

Something i didn’t see written anywhere yet; will the Fix be delivered automatically to the client (via SFTP), or does each client need to reach out to their contact persons / create a LCS request?

Hi Arend,

This is being discussed at the moment, the minute I know more I will update the KBA 

Thanks

Phil

Userlevel 7
Badge +17

Updated (16th December 2021 9:00 UTC)

Userlevel 7
Badge +17

Update (16th December 2021 13:00 UTC)

Userlevel 5
Badge +9

So for Apps 10 does that mean we’ll get the patch soon, or do we have to wait until after 3 March to get it?

Userlevel 5
Badge +15

I see that patch for IFS10 is ready: 161936

Userlevel 7
Badge +17

So for Apps 10 does that mean we’ll get the patch soon, or do we have to wait until after 3 March to get it?

We are anticipating it will be be available on the 17th December but also available in the release in March.

Userlevel 2
Badge +6

Hello, will each company on Apps10 have to request the patch individually when it’s available?  And I’m assuming the same rules apply where you have to install patches in sequence?  I have one I’m testing now.

Mary McCabe

 

Userlevel 3
Badge +7

For Apps10, is this valid for all updates?

We are using update 11, and I did a search on our app server where I found ‘log4j-1.2.17.jar’, which is a newer version than listed above as a potential issue.

Or is the patch needed for all updates in Apps10?

Userlevel 7
Badge +17

I see that patch for IFS10 is ready: 161936

IFS Apps 10 is mitigated in cloud, but as per the KBA, patching for on premise customers is due for release tomorrow

Userlevel 7
Badge +17

Hello, will each company on Apps10 have to request the patch individually when it’s available?  And I’m assuming the same rules apply where you have to install patches in sequence?  I have one I’m testing now.

Mary McCabe

 

Distribution process is being developed and tested and will be documented as part of its release

Userlevel 7
Badge +17

For Apps10, is this valid for all updates?

We are using update 11, and I did a search on our app server where I found ‘log4j-1.2.17.jar’, which is a newer version than listed above as a potential issue.

Or is the patch needed for all updates in Apps10?

The version referenced is a 1.x version.  The mitigation/solution is based upon 2.16.0 which is later.  It will be applicable for all IFS Apps10 updates

Userlevel 5
Badge +15

What about IFS9 version and customers without extended support?

Userlevel 7
Badge +17

What about IFS9 version and customers without extended support?

As is in the KBA, IFS Apps 9 customers are not impacted by this.