Skip to main content

Are any of the IFS FSM components (mainly the IFS FSM android application) impacted by the log4j vulnerability CVE-2021-44228? 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Hi @TDCSOURABH,

This is to inform you that IFS R&D Team is assessing whether the vulnerability is affecting IFS Application/FSM /PSO /EOI and based on that IFS R&D will recommend a corrective action.
We'll keep you updated on this.

Best Regards,
Shani 


Is there an update on this? I need to know if the IFS Application is affected and the recommended corrective action.


FSM does not use Apache as a web server, it is a Windows IIS app.   The description of the vulnerability says “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” - we don’t use direct LDAP  access.   So I don’t believe FSM is affected, but we’ll dig into it a bit more and confirm.


FSM does not use Apache as a web server, it is a Windows IIS app.   The description of the vulnerability says “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” - we don’t use direct LDAP  access.   So I don’t believe FSM is affected, but we’ll dig into it a bit more and confirm.

We personally use the IFS 9 application which is java based. I only responded to this question and not starting my own because Shani above mentioned that the R&D team is looking into the Application/FSM /PSO /EOI and would provide an update. I was looking for an update on it specifically the Application. 


The reported vulnerability cites log4j being used with JNDI (Java Naming and Directory Interface) to access LDAP.

I don’t see any references to log4j or  JNDI when browsing the FSMa (Mobile Android) code repository in Bitbucket.

Will still follow up with Mobile team to confirm.


Hi, we have customers which still running IFS 8 SP1(Foundation1 SP2) version with old Log4j, they are check whether IFS will release some patch regarding this. 

https://vulners.com/github/GHSA-JFH8-C2JP-5V3Q

Plesae update this, thank you!

 


This question was originally about the FSM product and the FSM Mobile client.  I cannot supply any answer about IFS Applications 8 or 9 - that should be its own separate topic


Please subscribe to this KBA which will be updated every 24 hours

 


Hi @Phil Lamerton ,

Noted that FSM & PSO was not affected by CVE-2021-44228. ( Impact of CVE-2021-44228 on IFS Products, Services | IFS Community)

 

But I want to know any log 4j is used by FSM or PSO? If yes what is the version

 

Thanks

Oshan


Reply