Solved

Apache Log4j vulnerability CVE-2021-44228

  • 13 December 2021
  • 8 replies
  • 1417 views

Userlevel 2
Badge +4

Hi, we are running in IFS 8 SP1(Foundation1 SP2) version with old Log4j,  IFS will release some patch regarding this or we have to upgrade only the solution. Please update.

icon

Best answer by hhanse 17 January 2022, 09:50

View original

This topic has been closed for comments

8 replies

Userlevel 7
Badge +17

This is under investigation please subscribe to this KBA, which will updated every 24 hours

 

Userlevel 2
Badge +4

Please Update on the Apache Log4j vulnerability CVE-2021-44228

Userlevel 7
Badge +17

Please Update on the Apache Log4j vulnerability CVE-2021-44228

Please subscribe to this KBA as mentioned above, it is updated regularly

 

Userlevel 2
Badge +4

Thanks for your update , As per your Impact of CVE-2021-44228 on IFS Products, Services document IFS8 application SP2 - Not affected. 

Userlevel 2
Badge +4

Hi, 

May you please confirm that the web part (B2E)  of the legacy versions used for time reporting is not impacted by the vulnerability ?

Userlevel 5
Badge +9

Hi,

The web part (B2E) is sub part of IFS Application 8 (all legacy versions) which is stated in the KBA not to be affected. I had a quick look now and the actual b2e.war file has an unaffected Log4j 1.2.6 in it. Which aligns with the statement in the KBA.
 

 

NOTE: Running old SW in general (App8 being one) is not advised from a security perspective...

   /henrik

Userlevel 2
Badge +7

Hi team,

If we check the URL below, IFS10 says to apply "IFS_Solution_298974.zip" as a workaround and Update15 as a permanent solution.
<https://community.ifs.com/notifications-security-bulletins-planned-maintenance-254/impact-of-cve-2021-44228-on-ifs-products-services-16504>

However, upon checking the LCS, we were able to find the following patches.
 - 161922 :  Log4j and gson library vulnerabilities Apps10 (RMPANL)
 - 161924 : Zero-day vulnerability in Log4J APPS10 (DEMAND)
 - 161926 : Apache Log4j Security Vulnerability - ifs-reporting.war (FNDBAS)
 - 161936 : Apache Log4j Security Vulnerability - ifs-reporting.war 2.16 update (FNDBAS)
 - 161948 : Updating Log4J in APPS10 to latest version (PROOPG)

Which patches should be applied to reduce the risk related to CVE-2021-44228?

Best Regards,
Hiroki Iwakura

Userlevel 5
Badge +9

Follow the official recomendation:
apply "IFS_Solution_298974.zip" as a workaround and Update15 as a permanent solution.
IFS_Solution_298974.zip is a solid workaround that can be used until customer is ready for a proper Update.
   /H