Log4jShell Mitigation for AuditSafe
Article ID: KB0107982
Updated On:
| Products | Versions |
|---|---|
| TIBCO AuditSafe | 1.1.0, 1.1.1 |
Description
Update March 8, 2022: TIBCO Auditsafe 1.1.1 has been release, which contains the final mitigation for this issue.
TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228 and successors), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.
TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
Below are initial mitigation steps for this issue. We will provide updates as more information becomes available and we complete our investigation.
TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228 and successors), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.
TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
Below are initial mitigation steps for this issue. We will provide updates as more information becomes available and we complete our investigation.
Issue/Introduction
Documentation for Mitigating the Log4jShell Vulnerability in AuditSafe
Environment
all platforms
Resolution
These instructions are based on the mitigation documented by Apache for different vulnerable versions of Log4j2.
The general approach is to manually modify the log4j jars by removing the exploitable Java class files contained within them. Specifically, JndiLookup.class for log4j 2.x. This Java class file is not used by any of the TIBCO® AuditSafe software and removing it, is expected to have no functional impact.
Applicability
These instructions apply to the TIBCO® AuditSafe version 1.1.0 only.
Note: Stop all the running TIBCO® AuditSafe services and delete its existing images.
Using the same shell (sh/bash) you used to update the server, run the following commands:
$ cd <unzip_folder>/auditsafe-1.1.0
$ zip -q -d <LOG4J_JAR> <FILE_TO_REMOVE>
Consult the table below to determine the log4j-file-location and the file-to-remove based on the service you want to fix:
TIBCO® AuditSafe Services 1.1:
Verify that the desired file was removed:
$ jar tvf <LOG4J_JAR> | grep JndiLookup; echo $?
Result should be 1 for all verification steps.
After all the vulnerable services are mitigated, perform the following steps:
The general approach is to manually modify the log4j jars by removing the exploitable Java class files contained within them. Specifically, JndiLookup.class for log4j 2.x. This Java class file is not used by any of the TIBCO® AuditSafe software and removing it, is expected to have no functional impact.
Applicability
These instructions apply to the TIBCO® AuditSafe version 1.1.0 only.
Prerequisites
Unix- zip and unzip packages need to be installed
- Make sure you add Java\jdk<version>\bin to your system or the user PATH environment variable before you can use jar as a system command.
Note: Stop all the running TIBCO® AuditSafe services and delete its existing images.
Using the same shell (sh/bash) you used to update the server, run the following commands:
$ cd <unzip_folder>/auditsafe-1.1.0
$ zip -q -d <LOG4J_JAR> <FILE_TO_REMOVE>
Consult the table below to determine the log4j-file-location and the file-to-remove based on the service you want to fix:
TIBCO® AuditSafe Services 1.1:
| Service | LOG4J_JAR | FILE_TO_REMOVE |
| Data Server | services/ds/auditsafe-ds-1.1.0/lib/log4j-core- 2.13.3.jar | org/apache/logging/log4j/core /lookup/JndiLookup.class |
| Web Server | services/ws/auditsafe-ws-1.1.0/lib/log4jcore-2.13.3.jar | |
| Auth Server | services/aus/auditsafe-aus-1.1.0/lib/log4jcore-2.13.3.jar |
Verify that the desired file was removed:
$ jar tvf <LOG4J_JAR> | grep JndiLookup; echo $?
Result should be 1 for all verification steps.
After all the vulnerable services are mitigated, perform the following steps:
- Stop all the TIBCO® AuditSafe services.
- Delete all the existing images. (Navigate to worker node and remove the old images.)
- Build the images again and restart the servers.
Feedback
Yes
No
Powered by
