Question

FSM component impacted by Apache Log4j vulnerability CVE-2021-44228

  • 11 December 2021
  • 9 replies
  • 807 views
T
Rank
Userlevel 3
Badge +8

Are any of the IFS FSM components (mainly the IFS FSM android application) impacted by the log4j vulnerability CVE-2021-44228? 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

9 replies

Shani Fernando
Rank
Userlevel 5
Badge +10

Hi @TDCSOURABH,

This is to inform you that IFS R&D Team is assessing whether the vulnerability is affecting IFS Application/FSM /PSO /EOI and based on that IFS R&D will recommend a corrective action.
We'll keep you updated on this.

Best Regards,
Shani 

Shani Fernando - www.linkedin.com/in/shanifernando
L
Rank
Badge +1

Is there an update on this? I need to know if the IFS Application is affected and the recommended corrective action.

Jon Reid
Rank
Userlevel 6
Badge +17

FSM does not use Apache as a web server, it is a Windows IIS app.   The description of the vulnerability says “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” - we don’t use direct LDAP  access.   So I don’t believe FSM is affected, but we’ll dig into it a bit more and confirm.

L
Rank
Badge +1

FSM does not use Apache as a web server, it is a Windows IIS app.   The description of the vulnerability says “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” - we don’t use direct LDAP  access.   So I don’t believe FSM is affected, but we’ll dig into it a bit more and confirm.

We personally use the IFS 9 application which is java based. I only responded to this question and not starting my own because Shani above mentioned that the R&D team is looking into the Application/FSM /PSO /EOI and would provide an update. I was looking for an update on it specifically the Application. 

Jon Reid
Rank
Userlevel 6
Badge +17

The reported vulnerability cites log4j being used with JNDI (Java Naming and Directory Interface) to access LDAP.

I don’t see any references to log4j or  JNDI when browsing the FSMa (Mobile Android) code repository in Bitbucket.

Will still follow up with Mobile team to confirm.

W
Rank
Userlevel 4
Badge +8

Hi, we have customers which still running IFS 8 SP1(Foundation1 SP2) version with old Log4j, they are check whether IFS will release some patch regarding this. 

https://vulners.com/github/GHSA-JFH8-C2JP-5V3Q

Plesae update this, thank you!

 

Jon Reid
Rank
Userlevel 6
Badge +17

This question was originally about the FSM product and the FSM Mobile client.  I cannot supply any answer about IFS Applications 8 or 9 - that should be its own separate topic

Phil Lamerton
Rank
Userlevel 7
Badge +17

Please subscribe to this KBA which will be updated every 24 hours

 

OSHWLK
Rank
Badge +4

Hi @Phil Lamerton ,

Noted that FSM & PSO was not affected by CVE-2021-44228. ( Impact of CVE-2021-44228 on IFS Products, Services | IFS Community)

 

But I want to know any log 4j is used by FSM or PSO? If yes what is the version

 

Thanks

Oshan

-OSHWLK-

Reply


Terms & ConditionsCookie settings