NOTE:  These instructions cover the BusinessConnect Container Edition Plugins (EDI, SOAP, etc,) as they use the main BCCE server for logging purposes.

Update: March 8, 2022:  BusinessConnect Container Edition 1.1.1 has been released, which contains the final mitigation of the log4j issue.

TIBCO  is  aware of the recently  announced Apache Log4J  vulnerability  (CVE-2021-44228 and successors), referred  to  as  “Log4Shell”.  Performing  these  attacks  requires  an  attacker  to  have  control  of  log messages  or  at least the  parameters  for  a given log message. This  vulnerability theoretically enables  arbitrary  code  to  be  executed  on  the  affected  system. TIBCO’s  Security  Team  is  actively  monitoring  the  information  coming  out  about  the  Apache Log4J  Vulnerability  and  our  Product Security  Incident Response Team  (PSIRT)  is  actively evaluating  how  this  vulnerability  may  affect  TIBCO  products  and  cloud  services. Below  are  initial  mitigation  steps  for  this  issue.  We  will  provide  updates  as  more  information becomes  available  and  we  complete  our  investigation. 

Mitigating the Log4jShell Vulnerability in BusinessConnect Container Edition

all platforms

These  instructions  are  based  on  the  mitigation  documented  by  Apache  for  different  vulnerable versions  of  Log4j2. The general  approach is  to manually  modify  the log4j  jars  by  removing the exploitable Java class  files  contained  within  them.  Specifically,  JndiLookup.class  for  log4j  2.x.  This Java  class file is  not used by  any  of  the TIBCO  BusinessConnect™  Container  Edition  software. Applicability These instructions  apply  to  the  TIBCO BusinessConnect™  Container  Edition  version 1.1.0  only. 

Prerequisites:

Unix:

• zip and unzip  packages  need  to  be  installed
• Make sure you add Java\jdk<version>\bin to your  system  or  the user  PATH  environment variable before you can use jar  as  a  system  command. 

Update log4j Jars in TIBCO BusinessConnect™ Container Edition  Services (Unix)
 
Note: Stop all the running TIBCO BusinessConnect™ Container Edition services and delete its existing images.
 
Using the same shell (sh/bash) you used to update the server, run the following commands:
 
$ cd <unzip_folder>/bcce-1.1.0
$ zip -q -d <LOG4J_JAR> <FILE_TO_REMOVE>
 
Consult the table below to determine the log4j-file-location and the file-to-remove based on the service you want to fix:
 
TIBCO BusinessConnect™ Container Edition Services 1.1:

Service	LOG4J_JAR	FILE_TO_REMOVE
ConfigStore Management Server	services/cms/bcce-cms-1.1.0/lib/log4j-core2.13.3.jar	org/apache/logging/log4j/core /lookup/JndiLookup.class
Auth Server	services/aus/bcce-aus-1.1.0 /lib/log4j-core2.13.3.jar
Interior Server	services/is/bcce-is-1.1.0/lib/log4j-core- 2.12.1.jar
Gateway Server	services/gs/bcce-gs-1.1.0/lib/log4j-core- 2.12.1.jar
Poller Server	services/ps/bcce-ps-1.1.0/lib/log4j-core- 2.12.1.jar

 
Verify that the desired file was removed:
$ jar tvf <LOG4J_JAR> | grep JndiLookup; echo $?
 
Result should be 1 for all verification steps.  
After all the vulnerable services are mitigated, perform the following steps:

1. Stop all the TIBCO BusinessConnect™ Container Edition services.
2. Delete all the existing images. (Navigate to worker node and remove the old images.)
3. Build the images again and restart the servers.