Log4jShell Mitigation for BusinessConnect Container Edition
Article ID: KB0107983
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessConnect Container Edition | 1.1.0, 1.1.1 |
Description
NOTE: These instructions cover the BusinessConnect Container Edition Plugins (EDI, SOAP, etc,) as they use the main BCCE server for logging purposes.
Update: March 8, 2022: BusinessConnect Container Edition 1.1.1 has been released, which contains the final mitigation of the log4j issue.
TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228 and successors), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system. TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services. Below are initial mitigation steps for this issue. We will provide updates as more information becomes available and we complete our investigation.
Environment
Resolution
These instructions are based on the mitigation documented by Apache for different vulnerable versions of Log4j2. The general approach is to manually modify the log4j jars by removing the exploitable Java class files contained within them. Specifically, JndiLookup.class for log4j 2.x. This Java class file is not used by any of the TIBCO BusinessConnect™ Container Edition software. Applicability These instructions apply to the TIBCO BusinessConnect™ Container Edition version 1.1.0 only.
Prerequisites:
Unix:
- zip and unzip packages need to be installed
- Make sure you add Java\jdk<version>\bin to your system or the user PATH environment variable before you can use jar as a system command.
Note: Stop all the running TIBCO BusinessConnect™ Container Edition services and delete its existing images.
Using the same shell (sh/bash) you used to update the server, run the following commands:
$ cd <unzip_folder>/bcce-1.1.0
$ zip -q -d <LOG4J_JAR> <FILE_TO_REMOVE>
Consult the table below to determine the log4j-file-location and the file-to-remove based on the service you want to fix:
TIBCO BusinessConnect™ Container Edition Services 1.1:
| Service | LOG4J_JAR | FILE_TO_REMOVE |
| ConfigStore Management Server | services/cms/bcce-cms-1.1.0/lib/log4j-core2.13.3.jar | org/apache/logging/log4j/core /lookup/JndiLookup.class |
| Auth Server | services/aus/bcce-aus-1.1.0 /lib/log4j-core2.13.3.jar | |
| Interior Server | services/is/bcce-is-1.1.0/lib/log4j-core- 2.12.1.jar | |
| Gateway Server | services/gs/bcce-gs-1.1.0/lib/log4j-core- 2.12.1.jar | |
| Poller Server | services/ps/bcce-ps-1.1.0/lib/log4j-core- 2.12.1.jar |
Verify that the desired file was removed:
$ jar tvf <LOG4J_JAR> | grep JndiLookup; echo $?
Result should be 1 for all verification steps.
After all the vulnerable services are mitigated, perform the following steps:
- Stop all the TIBCO BusinessConnect™ Container Edition services.
- Delete all the existing images. (Navigate to worker node and remove the old images.)
- Build the images again and restart the servers.
Issue/Introduction
Feedback
