Skip to main content
Solved

Apache Log4j vulnerability CVE-2021-44228

  • December 13, 2021
  • 8 replies
  • 1533 views
aravindhan
Sidekick
Forum|alt.badge.img+4

Hi, we are running in IFS 8 SP1(Foundation1 SP2) version with old Log4j,  IFS will release some patch regarding this or we have to upgrade only the solution. Please update.

Best answer by hhanse

Follow the official recomendation:
apply "IFS_Solution_298974.zip" as a workaround and Update15 as a permanent solution.
IFS_Solution_298974.zip is a solid workaround that can be used until customer is ready for a proper Update.
   /H
 

This topic has been closed for replies.

8 replies

Phil Lamerton
Superhero (Employee)
Forum|alt.badge.img+28
  • Phil Lamerton
  • Superhero (Employee)
  • 532 replies
  • December 13, 2021

This is under investigation please subscribe to this KBA, which will updated every 24 hours

 

aravindhan
Sidekick
Forum|alt.badge.img+4
  • aravindhan
  • Author
  • Sidekick
  • 8 replies
  • December 14, 2021

Please Update on the Apache Log4j vulnerability CVE-2021-44228

Phil Lamerton
Superhero (Employee)
Forum|alt.badge.img+28
  • Phil Lamerton
  • Superhero (Employee)
  • 532 replies
  • December 14, 2021

Please Update on the Apache Log4j vulnerability CVE-2021-44228

Please subscribe to this KBA as mentioned above, it is updated regularly

 

aravindhan
Sidekick
Forum|alt.badge.img+4
  • aravindhan
  • Author
  • Sidekick
  • 8 replies
  • December 15, 2021

Thanks for your update , As per your Impact of CVE-2021-44228 on IFS Products, Services document IFS8 application SP2 - Not affected. 

D
Sidekick (Employee)
Forum|alt.badge.img+6
  • Dominique Husson
  • Sidekick (Employee)
  • 10 replies
  • January 4, 2022

Hi, 

May you please confirm that the web part (B2E)  of the legacy versions used for time reporting is not impacted by the vulnerability ?

H
Hero (Employee)
Forum|alt.badge.img+11
  • hhanse
  • Hero (Employee)
  • 201 replies
  • January 4, 2022

Hi,

The web part (B2E) is sub part of IFS Application 8 (all legacy versions) which is stated in the KBA not to be affected. I had a quick look now and the actual b2e.war file has an unaffected Log4j 1.2.6 in it. Which aligns with the statement in the KBA.
 

 

NOTE: Running old SW in general (App8 being one) is not advised from a security perspective...

   /henrik

N
Sidekick (Partner)
Forum|alt.badge.img+7
  • NECIWAKURA
  • Sidekick (Partner)
  • 29 replies
  • January 17, 2022

Hi team,

If we check the URL below, IFS10 says to apply "IFS_Solution_298974.zip" as a workaround and Update15 as a permanent solution.
<https://community.ifs.com/notifications-security-bulletins-planned-maintenance-254/impact-of-cve-2021-44228-on-ifs-products-services-16504>

However, upon checking the LCS, we were able to find the following patches.
 - 161922 :  Log4j and gson library vulnerabilities Apps10 (RMPANL)
 - 161924 : Zero-day vulnerability in Log4J APPS10 (DEMAND)
 - 161926 : Apache Log4j Security Vulnerability - ifs-reporting.war (FNDBAS)
 - 161936 : Apache Log4j Security Vulnerability - ifs-reporting.war 2.16 update (FNDBAS)
 - 161948 : Updating Log4J in APPS10 to latest version (PROOPG)

Which patches should be applied to reduce the risk related to CVE-2021-44228?

Best Regards,
Hiroki Iwakura

H
Hero (Employee)
Forum|alt.badge.img+11
  • hhanse
  • Hero (Employee)
  • 201 replies
  • Answer
  • January 17, 2022

Follow the official recomendation:
apply "IFS_Solution_298974.zip" as a workaround and Update15 as a permanent solution.
IFS_Solution_298974.zip is a solid workaround that can be used until customer is ready for a proper Update.
   /H
 

Terms & ConditionsCookie settingsAccessibility statement