Apache Log4j vulnerability CVE-2021-44228

This is under investigation please subscribe to this KBA, which will updated every 24 hours

• URGENT BULLETIN - IFS Advisory:  IFS Products, Services and Log4j - ​CVE-2021-44228 URGENT BULLETIN

Please Update on the Apache Log4j vulnerability CVE-2021-44228

Please subscribe to this KBA as mentioned above, it is updated regularly

Thanks for your update , As per your Impact of CVE-2021-44228 on IFS Products, Services document IFS8 application SP2 - Not affected. 

Hi, 

May you please confirm that the web part (B2E)  of the legacy versions used for time reporting is not impacted by the vulnerability ?

Hi,

The web part (B2E) is sub part of IFS Application 8 (all legacy versions) which is stated in the KBA not to be affected. I had a quick look now and the actual b2e.war file has an unaffected Log4j 1.2.6 in it. Which aligns with the statement in the KBA.
 

NOTE: Running old SW in general (App8 being one) is not advised from a security perspective...

   /henrik

Hi team,

If we check the URL below, IFS10 says to apply "IFS_Solution_298974.zip" as a workaround and Update15 as a permanent solution.
<https://community.ifs.com/notifications-security-bulletins-planned-maintenance-254/impact-of-cve-2021-44228-on-ifs-products-services-16504>

However, upon checking the LCS, we were able to find the following patches.
 - 161922 :  Log4j and gson library vulnerabilities Apps10 (RMPANL)
 - 161924 : Zero-day vulnerability in Log4J APPS10 (DEMAND)
 - 161926 : Apache Log4j Security Vulnerability - ifs-reporting.war (FNDBAS)
 - 161936 : Apache Log4j Security Vulnerability - ifs-reporting.war 2.16 update (FNDBAS)
 - 161948 : Updating Log4J in APPS10 to latest version (PROOPG)

Which patches should be applied to reduce the risk related to CVE-2021-44228?

Best Regards,
Hiroki Iwakura