Products | Versions |
---|---|
TIBCO BusinessConnect Container Edition | 1.1.0, 1.1.1 |
NOTE: These instructions cover the BusinessConnect Container Edition Plugins (EDI, SOAP, etc,) as they use the main BCCE server for logging purposes.
Update: March 8, 2022: BusinessConnect Container Edition 1.1.1 has been released, which contains the final mitigation of the log4j issue.
TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228 and successors), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system. TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services. Below are initial mitigation steps for this issue. We will provide updates as more information becomes available and we complete our investigation.
These instructions are based on the mitigation documented by Apache for different vulnerable versions of Log4j2. The general approach is to manually modify the log4j jars by removing the exploitable Java class files contained within them. Specifically, JndiLookup.class for log4j 2.x. This Java class file is not used by any of the TIBCO BusinessConnect™ Container Edition software. Applicability These instructions apply to the TIBCO BusinessConnect™ Container Edition version 1.1.0 only.
Unix:
Service | LOG4J_JAR | FILE_TO_REMOVE |
ConfigStore Management Server | services/cms/bcce-cms-1.1.0/lib/log4j-core2.13.3.jar | org/apache/logging/log4j/core /lookup/JndiLookup.class |
Auth Server | services/aus/bcce-aus-1.1.0 /lib/log4j-core2.13.3.jar | |
Interior Server | services/is/bcce-is-1.1.0/lib/log4j-core- 2.12.1.jar | |
Gateway Server | services/gs/bcce-gs-1.1.0/lib/log4j-core- 2.12.1.jar | |
Poller Server | services/ps/bcce-ps-1.1.0/lib/log4j-core- 2.12.1.jar |