Hi all,
An impact assessment has taken place on the IFS Maintenix tech stack to determine required mitigation actions to secure your on prem systems. Please note only versions 8.3 and 8.3-SP1 are affected by this issue. We will be releasing software updates on all supported streams to upgrade log4j2 to version 2.15.0.
2021-12-14 Update: We anticipate software updates to be delivered by Friday 2021-12-17.
2021-12-14 Update: Updates will upgrade to Apache’s log4j 2.16.0.
2121-12-17 Update: Apache has released a new CVE-2021-45046 to indicate that the below recommended mitigation techniques are not sufficient to contain all possible vectors. The new recommendation is to install log4j 2.16.0 which completely removes the ability to perform a JndiLookup, there is an alternate mitigation technique to manually remove the class file from the jar if an upgrade to 2.16.0 is not possible. Please refer to Apache’s security article on this topic.
ALL >= 8.3 IFS MAINTENIX INSTALLATIONS: The alternate solution is to manually remove the JndiLookup.class file from the file <mx_install>/domain/bin/logging/log4j-core.jar. Please implement this measure immediately. All streams of Maintenix have been updated and the software is globally available in the software delivery location.
Mitigation Actions
For affected systems, reinstalling the Windows service (if applicable) and/or an application service restart is required following the addition of a new start up parameter to weblogic in the file <mx_install>/domain/bin/customEnv.cmd (Windows) or customerEnv.sh (Linux) with the following text:
| setCustomEnv.sh | setCustomEnv.cmd |
|---|---|
export JAVA_OPTIONS="${JAVA_OPTIONS} -Dlog4j2.formatMsgNoLookups=true" | set JAVA_OPTIONS=%JAVA_OPTIONS% -Dlog4j2.formatMsgNoLookups=true |
IFS Maintenix Impact Assessment
| IFS Maintenix Versions | Assessment |
|---|---|
| >= 8.3-SP2 | No impact - Log4j2 implementation pre-configured with mitigation strategy. |
| = 8.3, 8.3-SP1 | Requires action. Log4j2 implementation does not contain mitigation strategy. |
| <= 8.2-SP5 | No impact - No implementation of log4j2. |
Supporting Services Assessment
| Service | Versions | Assessment |
|---|---|---|
| Jaspersoft Reporting | >= 7.9.x | Requires actions. Restart required. Reinstalling Windows service required (if applicable). Edit the file <jasper_install>/bin/ setenv.bat: setenv.sh: |
| Jaspersoft Reporting | <= 7.2.x | No impact - No implementation of log4j2. |
| Mulesoft (ASB) | 3.9.0 | Requires action. No restart required. Please replace line 5 of /<asb-x.x.x>/server/conf/log4j2.xml <PatternLayout pattern="%-5p %d r%t] %c: %m{nolookups}%n"/> |
| Mulesoft (ASB) | 3.5.0 | No impact - No implementation of log4j2 |