log4j Exploit

tryan · December 13, 2021, 5:21am

Hi all,

We have just published an article about the an exploit in the log4j logging library. Pulse 6 could be used to exploit the vulnerability but the attacker would need admin permissions in Pulse.

If you have Pulse 6 you should apply one of the fixes in the article.

twong · December 14, 2021, 2:33am

Hi @tryan ,

May I assume the log4j download version is 2.1.5+?

I tried to download today, it’s already 2.1.6.

Regards

Tat

tryan · December 14, 2021, 3:51am

Yep, 2.15 or greater (not 2.1.5).

tlees · December 14, 2021, 3:53am

Tat,

The latest release is 2.16.0. Some initial changes were introduced in 2.15.0 to resolve the issue, and some more comprehensive changes were made in 2.16.0 and released yesterday.

https://logging.apache.org/log4j/2.x/changes-report.html

Tim

tryan · December 14, 2021, 4:01am

I have updated the article. They they have completely removed the functionality that was the cause of the exploit.

james.geraci · December 16, 2021, 8:35pm

I know it says that PAW is affected but it seems ambiguous whether PAL is affected? Do you guys have any guidance on that?

tryan · December 16, 2021, 8:45pm

Hi @james.geraci,

From my understanding PAL local is not impacted, TM1Web uses version 1 of log4j and the server itself is C++. If you look in the install directory no v2 log4j jar files can be found. PAW and CA both have v2 jar files.

That should of course be confirmed by IBM.

R.B · December 16, 2021, 10:22pm

Hi @james.geraci,

See IBMs statement in https://www.ibm.com/support/pages/node/6525700? “Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by a security vulnerability.”

If you are interested in Cognos Analytics (even just for CAM) see Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228)? “IBM Cognos Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure.”

pgrochola · December 18, 2021, 7:45pm

@tryan

This whole Log4j saga is getting even more interesting following discovery that 2.15 has a critical vulnerability 2.16 turned out to have high so 2.17 contains the fix for it:

https://logging.apache.org/log4j/2.x/security.html

Should we then just copy 2.17 to elasticsearch lib folder or whatever library is the most recent?

ecarmona · December 19, 2021, 10:16pm

Ηι @pgrochola,

If log4j is recommending to go to 2.17. do so. I suggest to test it first in a dev environment.

Regards,

Erik

ecarmona · December 19, 2021, 11:20pm

We are testing the impact of 2.17 as well.

Regards,

Erik

ecarmona · December 20, 2021, 2:26am

@pgrochola,

We performed tests with 2.17 and it is working fine. the suggestion now onwards is to deploy 2.16 or later.

Regards,

Erik