URGENT BULLETIN

URGENT BULLETIN - IFS Advisory:  IFS Products, Services and Log4j - ​CVE-2021-44228

  • 13 December 2021
  • 74 replies
  • 19609 views


Show first post
This topic has been closed for comments

74 replies

Userlevel 5
Badge +15

What about IFS9 version and customers without extended support?

As is in the KBA, IFS Apps 9 customers are not impacted by this.

We have got following question from customer:

...at present, our IT is looking into possible impact of the log4j vulnerability of IFS.

We have discovered that IFS uses log4j in its code.

 

How to confirm that library is not used by IFS9 version?

Best Regards

Userlevel 4
Badge +9

Hi Phil,

 

Can there be shared some extra information on the correction?
Are we talking about an dedicated IFS delivery, or will it be an Oracle mitigation patch?
 

Secondly, if it will be an IFS delivery, will this have on impact on clustered setups? E.G. will there be a need to break and rebuild the clusters?

Userlevel 7
Badge +17

What about IFS9 version and customers without extended support?

As is in the KBA, IFS Apps 9 customers are not impacted by this.

We have got following question from customer:

...at present, our IT is looking into possible impact of the log4j vulnerability of IFS.

We have discovered that IFS uses log4j in its code.

 

How to confirm that library is not used by IFS9 version?

Best Regards

Hi, R&D have done the research here and Apps 9 uses the 1.x version which is not vulnerable.  Please refer to the KBA which shows this.

Userlevel 2
Badge +3

Hi, is it planned to come out with information regarding IFS 10 to day? In KBA, I see you're going to have a relase ready today.

Userlevel 7
Badge +17

Update (17th December 2021 14:00hrs UTC)

Userlevel 7
Badge +17

Update (17th December 2021 14:30 UTC)

Userlevel 7
Badge +17

Update (17th December 2021 17:15 UTC)

Userlevel 7
Badge +17

Update (19th December 2021 13:30 UTC)

Userlevel 1
Badge +2

Thanks for this post,

Few of the customers have raised this issue of late and we and have applied the intermediate mitigation steps already. Noticed that there are several other issues being identified on log4j.  Namely CVE-2021-45046, CVE-2021-45105. Are there any updates on these ?

Userlevel 3
Badge +7

Hi @Phil Lamerton

May you kindly inform what time today, we can expect IFS Cloud 21R1 SU9  (Remote Installation) , our production system’s public access being cutdown for few days due to this vulnerability 

Kr

Amila

 

 

Userlevel 1
Badge +4

I see that in Bug there is Log4j version 2.16.0. The newest version is 2.17.0. Version 2.16.0 still is problematic.

 

https://logging.apache.org/log4j/2.x/security.html

 

Is there Solution in LCS for 2.17.0?

Userlevel 1
Badge +3

@Phil Lamerton

 

Even before applying patch JndiLookup.class can only be found in directory structure under IFS_HOME\mw_home\mws\.patch_storage

 

Does it mean the patch is not needed?

Are only files directly in the 5 mentioned places* excluded (since two directories under IFS_HOME\mw_home\mws\ are further specified), or how to interpret what to exclude after search?

 

*IFS_HOME\mw_home\mws\
IFS_HOME\mw_home\mws\oracle_common\modules\thirdparty
IFS_HOME\mw_home\mws\.patch_storage
IFS_HOME\wls_domain\\servers\AdminServer\upload
Old cluster.zip file

 

Kind regards, Bjørn

Userlevel 7
Badge +17

Update (20th December 2021 12:30 UTC)

Userlevel 7
Badge +17

Hi @Phil Lamerton

May you kindly inform what time today, we can expect IFS Cloud 21R1 SU9  (Remote Installation) , our production system’s public access being cutdown for few days due to this vulnerability 

Kr

Amila

 

 

It is available now 

Userlevel 3
Badge +7

Hi @Phil Lamerton

May you kindly inform what time today, we can expect IFS Cloud 21R1 SU9  (Remote Installation) , our production system’s public access being cutdown for few days due to this vulnerability 

Kr

Amila

Thanks@Phil Lamerton  appreciated 

 

It is available now 

 

Userlevel 7
Badge +17

Thanks for this post,

Few of the customers have raised this issue of late and we and have applied the intermediate mitigation steps already. Noticed that there are several other issues being identified on log4j.  Namely CVE-2021-45046, CVE-2021-45105. Are there any updates on these ?

IFS will handle these additional vulnerabilities through our normal processes - CVE-2021-44228 was special owing to its maximum score rating.
CVE-2021-45046 (low severity – 3.7), CVE-2021-45105 (not yet scored). 

Userlevel 7
Badge +17

I see that in Bug there is Log4j version 2.16.0. The newest version is 2.17.0. Version 2.16.0 still is problematic.

 

https://logging.apache.org/log4j/2.x/security.html

 

Is there Solution in LCS for 2.17.0?

Additional vulnerabilities will be handled through normal process or escalated if their severity is critical

Userlevel 1
Badge +2

@Phil Lamerton

 

Even before applying patch JndiLookup.class can only be found in directory structure under IFS_HOME\mw_home\mws\.patch_storage

 

Does it mean the patch is not needed?

Are only files directly in the 5 mentioned places* excluded (since two directories under IFS_HOME\mw_home\mws\ are further specified), or how to interpret what to exclude after search?

 

*IFS_HOME\mw_home\mws\
IFS_HOME\mw_home\mws\oracle_common\modules\thirdparty
IFS_HOME\mw_home\mws\.patch_storage
IFS_HOME\wls_domain\\servers\AdminServer\upload
Old cluster.zip file

 

Kind regards, Bjørn

 

Hi Bjørn,

I my case I found the files only under the following locations.

They were removed once the IFS Solution was applied.

 

Userlevel 1
Badge +3

 

Hi Bjørn,

I my case I found the files only under the following locations.

They were removed once the IFS Solution was applied.

 

Thanks for your reply, Artha. Did a search on one of our servers, not even an directory “lookup” are present.

 

@Phil Lamerton; Are there any need for us to install the patch, when JndiLookup.class isn’t present? If you can’t answer the question, should I rather create a case to support?

Userlevel 7
Badge +17

Update (21st December 2021 13:30 UTC)

Userlevel 7
Badge +17

 

Hi Bjørn,

I my case I found the files only under the following locations.

They were removed once the IFS Solution was applied.

 

Thanks for your reply, Artha. Did a search on one of our servers, not even an directory “lookup” are present.

 

@Phil Lamerton; Are there any need for us to install the patch, when JndiLookup.class isn’t present? If you can’t answer the question, should I rather create a case to support?

The folder structure has been stated as being safe (unused library) The class file needs to be loaded in runtime to be a vulnerability.  

Userlevel 7
Badge +17

Update (22nd December 2021 8:30 UTC)

Badge +2

Hi

We have been told that CVE-2021-44228 does not affect our APP7 products. 

However, Can you please confirm that APPS7 is not affected by any of the following Log4j vulnerabilities (v1.x and v2.x):

•    CVE-2021-45046
•    CVE-2021-4104
•    CVE-2021-45105

Thanks Lyndesay

Userlevel 7
Badge +17

Hi

We have been told that CVE-2021-44228 does not affect our APP7 products. 

However, Can you please confirm that APPS7 is not affected by any of the following Log4j vulnerabilities (v1.x and v2.x):

•    CVE-2021-45046
•    CVE-2021-4104
•    CVE-2021-45105

Thanks Lyndesay

IFS will handle these additional vulnerabilities through our normal processes - CVE-2021-44228 was special owing to its maximum score rating.
CVE-2021-45046 (low severity – 3.7), CVE-2021-45105 (not yet scored).