Replies posted by Phil Lamerton
Hi We have been told that CVE-2021-44228 does not affect our APP7 products. However, Can you please confirm that APPS7 is not affected by any of the following Log4j vulnerabilities (v1.x and v2.x): • CVE-2021-45046 • CVE-2021-4104 • CVE-2021-45105 Thanks Lyndesay IFS will handle these additional vulnerabilities through our normal processes - CVE-2021-44228 was special owing to its maximum score rating.CVE-2021-45046 (low severity – 3.7), CVE-2021-45105 (not yet scored).
Hi Bjørn, I my case I found the files only under the following locations. They were removed once the IFS Solution was applied. Thanks for your reply, Artha. Did a search on one of our servers, not even an directory “lookup” are present. @Phil Lamerton; Are there any need for us to install the patch, when JndiLookup.class isn’t present? If you can’t answer the question, should I rather create a case to support? The folder structure has been stated as being safe (unused library) The class file needs to be loaded in runtime to be a vulnerability.
I see that in Bug there is Log4j version 2.16.0. The newest version is 2.17.0. Version 2.16.0 still is problematic. https://logging.apache.org/log4j/2.x/security.html Is there Solution in LCS for 2.17.0? Additional vulnerabilities will be handled through normal process or escalated if their severity is critical
Thanks for this post, Few of the customers have raised this issue of late and we and have applied the intermediate mitigation steps already. Noticed that there are several other issues being identified on log4j. Namely CVE-2021-45046, CVE-2021-45105. Are there any updates on these ? IFS will handle these additional vulnerabilities through our normal processes - CVE-2021-44228 was special owing to its maximum score rating.CVE-2021-45046 (low severity – 3.7), CVE-2021-45105 (not yet scored).
Hi @Phil Lamerton May you kindly inform what time today, we can expect IFS Cloud 21R1 SU9 (Remote Installation) , our production system’s public access being cutdown for few days due to this vulnerability Kr Amila It is available now
What about IFS9 version and customers without extended support? As is in the KBA, IFS Apps 9 customers are not impacted by this. We have got following question from customer: ...at present, our IT is looking into possible impact of the log4j vulnerability of IFS. We have discovered that IFS uses log4j in its code. How to confirm that library is not used by IFS9 version? Best Regards Hi, R&D have done the research here and Apps 9 uses the 1.x version which is not vulnerable. Please refer to the KBA which shows this.
For Apps10, is this valid for all updates? We are using update 11, and I did a search on our app server where I found ‘log4j-1.2.17.jar’, which is a newer version than listed above as a potential issue. Or is the patch needed for all updates in Apps10? The version referenced is a 1.x version. The mitigation/solution is based upon 2.16.0 which is later. It will be applicable for all IFS Apps10 updates
Hello, will each company on Apps10 have to request the patch individually when it’s available? And I’m assuming the same rules apply where you have to install patches in sequence? I have one I’m testing now. Mary McCabe Distribution process is being developed and tested and will be documented as part of its release
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.