Log4j vulnerability (CVE-2021-44228) and Impact on SCANMAN
E
Ekaterina Grigorova
started a topic
over 3 years ago
Dear Valued Customer,
Recently a vulnerability has been discovered in the Apache Log4j open-source library (CVE-2021-44228). This CVE handles a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. This CVE has security score of 10 out of 10. Due to the severity of this vulnerability and the publication of exploit code on various sites, it is strongly recommended that customers apply the updates provided by this Security Alert as soon as possible. This library is used by several common applications and servers in a JD Edwards Architecture.
These include several Oracle products, IBM WebSphere or your JD Edwards add on solutions. Our SSPR and PACKMAN solutions both make use of this library.
Our support team has looked into this vulnerability and would like to share the following insights with regards to affected applications and services.
According to the information currently available, the following solutions are using the Log4J library and may be affected:
Oracle Products affected:
JD Edwards World
Oracle Access Manager
Oracle Fusion Middleware Infrastructure
Oracle GoldenGate
Oracle SOA Suite
Oracle(R) BPEL Process Manager 10g
SQL Developer
At the time of writing, the above Oracle products have been identified as affected but a patch is not yet available.
Also detailed information is available to mitigate the security issue while the applications are not patched. This includes switching off specific logging capabilities in the log4j library by adding an additional parameter (-Dlog4j2.formatMsgNoLookups=true ) in the startup parameters for java.
JD Edwards EnterpriseOne Enterprise Server Platform Pack
JD Edwards EnterpriseOne Server Manager
Oracle Weblogic
Forza Consulting Add-On Solutions not affected:
Forza Consulting SSPR
Forza Consulting PACKMAN
Forza Consulting SCANMAN
The Forza Consulting SCANMAN solution is not using the LOG4j library and is therefore not affected. Please find more information under the SCANMAN Alerts section here:
Although the Packman, SSPR solutions are not affected, we recommend to update the log4j library with the patched version Log4J 2.15.0. Both products have been validated and certified with the patched version of this library.
Ekaterina Grigorova
Dear Valued Customer,
Recently a vulnerability has been discovered in the Apache Log4j open-source library (CVE-2021-44228). This CVE handles a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. This CVE has security score of 10 out of 10. Due to the severity of this vulnerability and the publication of exploit code on various sites, it is strongly recommended that customers apply the updates provided by this Security Alert as soon as possible. This library is used by several common applications and servers in a JD Edwards Architecture.
These include several Oracle products, IBM WebSphere or your JD Edwards add on solutions. Our SSPR and PACKMAN solutions both make use of this library.
Our support team has looked into this vulnerability and would like to share the following insights with regards to affected applications and services.
According to the information currently available, the following solutions are using the Log4J library and may be affected:
Oracle Products affected:
At the time of writing, the above Oracle products have been identified as affected but a patch is not yet available.
The list of affected Oracle products is limited to the applications you may use when working with JD Edwards EnterpriseOne. For more detailed and up to date information about the oracle products that are affected please follow the link: https://support.oracle.com/epmos/faces/SearchDocDisplay?_afrLoop=100294348459095&_afrWindowMode=0&_adf.ctrl-state=3m696rtpq_4 .
Also detailed information is available to mitigate the security issue while the applications are not patched. This includes switching off specific logging capabilities in the log4j library by adding an additional parameter (-Dlog4j2.formatMsgNoLookups=true ) in the startup parameters for java.
IBM Products affected:
IBM has stated that WebSphere 8.5 and 9.0 are affected and a solution is available at the following link: https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-application-server-cve-2021-44228/
Oracle Products NOT affected:
Forza Consulting Add-On Solutions not affected:
The Forza Consulting SCANMAN solution is not using the LOG4j library and is therefore not affected. Please find more information under the SCANMAN Alerts section here:
https://scanman.forza-solutions.com/en/support/solutions/articles/19000132439-vulnerability-apache-log4j-cve-2021-44228-impact-on-scanman
Although the Packman, SSPR solutions are not affected, we recommend to update the log4j library with the patched version Log4J 2.15.0. Both products have been validated and certified with the patched version of this library.
Patch install instructions SSPR: SSPR_Patch
Patch install instructions PACKMAN: PACKMAN_Patch
For information about the CVE see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
For information about the vulnerability see: https://logging.apache.org/log4j/2.x/security.html
Please contact us if you need any support on the above.
Forza Consulting Support