IFS Maintenix impacts: Log4j2 CVE-2021-44228

  • 13 December 2021
  • 0 replies
  • 1291 views

Userlevel 4
Badge +7

Hi all,

An impact assessment has taken place on the IFS Maintenix tech stack to determine required mitigation actions to secure your on prem systems. Please note only versions 8.3 and 8.3-SP1 are affected by this issue. We will be releasing software updates on all supported streams to upgrade log4j2 to version 2.15.0.

2021-12-14 Update: We anticipate software updates to be delivered by Friday 2021-12-17.

2021-12-14 Update: Updates will upgrade to Apache’s log4j 2.16.0.

2121-12-17 Update: Apache has released a new CVE-2021-45046 to indicate that the below recommended mitigation techniques are not sufficient to contain all possible vectors. The new recommendation is to install log4j 2.16.0 which completely removes the ability to perform a JndiLookup, there is an alternate mitigation technique to manually remove the class file from the jar if an upgrade to 2.16.0 is not possible. Please refer to Apache’s security article on this topic.

 

ALL >= 8.3 IFS MAINTENIX INSTALLATIONS: The alternate solution is to manually remove the JndiLookup.class file from the file <mx_install>/domain/bin/logging/log4j-core.jar. Please implement this measure immediately. All streams of Maintenix have been updated and the software is globally available in the software delivery location.

 

Mitigation Actions

For affected systems, reinstalling the Windows service (if applicable) and/or an application service restart is required following the addition of a new start up parameter to weblogic in the file <mx_install>/domain/bin/customEnv.cmd (Windows) or customerEnv.sh (Linux) with the following text:

setCustomEnv.sh setCustomEnv.cmd
export JAVA_OPTIONS="${JAVA_OPTIONS} -Dlog4j2.formatMsgNoLookups=true"
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dlog4j2.formatMsgNoLookups=true

 

IFS Maintenix Impact Assessment

IFS Maintenix Versions Assessment
>= 8.3-SP2 No impact - Log4j2 implementation pre-configured with mitigation strategy.
= 8.3, 8.3-SP1 Requires action. Log4j2 implementation does not contain mitigation strategy.
<= 8.2-SP5 No impact - No implementation of log4j2.

 

 

Supporting Services Assessment

Service Versions Assessment
Jaspersoft Reporting >= 7.9.x

Requires actions. Restart required. Reinstalling Windows service required (if applicable). Edit the file <jasper_install>/bin/

setenv.bat:
set JAVA_OPTS=%JAVA_OPTS% -Dlog4j2.formatMsgNoLookups=true

setenv.sh:
export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true" 

Jaspersoft Reporting <= 7.2.x  No impact - No implementation of log4j2.
Mulesoft (ASB) 3.9.0

Requires action. No restart required.

Please replace line 5 of /<asb-x.x.x>/server/conf/log4j2.xml

            <PatternLayout pattern="%-5p %d [%t] %c: %m{nolookups}%n"/>
 

Mulesoft (ASB) 3.5.0 No impact - No implementation of log4j2

 


0 replies

Be the first to reply!

Reply