TIBCO Foresight Translator - Mitigation for CVE-2021-44228 (Log4Shell)
Article ID: KB0107987
Updated On:
| Products | Versions |
|---|---|
| TIBCO Foresight Translator | 4.1.0, 4.0.0, 3.8.0 |
Description
TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.
TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
Environment
Resolution
Update – 2/3/22
TIBCO has released the following hotfixes for TIBCO Foresight Translator. These hotfixes include version 2.17.1 of Apache Log4j, which mitigates the latest security vulnerabilities reported by Apache (CVE-2021-45046 and CVE-2021-44832).
TIBCO Foresight Translator (Healthcare and Standard Editions) – 3.8.0 HF3
TIBCO Foresight Translator (Healthcare and Standard Editions) for z/Linux – 3.8.0 HF3
TIBCO Foresight Translator (Healthcare and Standard Editions) – 3.8.0 HF3
TIBCO Foresight Translator (Healthcare and Standard Editions) for z/Linux – 3.8.0 HF3
A separate notification was sent for each hotfix with instructions for applying the fix.
Update – 1/20/22
TIBCO has released the following hotfixes for TIBCO Foresight Translator. These hotfixes include version 2.17.1 of Apache Log4j, which mitigates the latest security vulnerabilities reported by Apache (CVE-2021-45046 and CVE-2021-44832).
TIBCO Foresight Translator (Healthcare and Standard Editions) – 4.0.0 HF7
TIBCO Foresight Translator (Healthcare and Standard Editions) for z/Linux – 4.0.0 HF7
TIBCO Foresight Translator (Healthcare and Standard Editions) – 4.1.0 HF2
TIBCO Foresight Translator (Healthcare and Standard Editions) for z/Linux – 4.1.0 HF2
A separate notification was sent for each hotfix with instructions for applying the fix.
TIBCO is currently working on the hotfix for TIBCO Foresight Translator (Healthcare and Standard Editions) – 3.8.0.
Update – 1/14/22
TIBCO is planning to provide an additional hotfix for Translator that will include Log4j version 2.17.1. The new targeted release date is 1/18/21.
Update – 1/6/22
TIBCO is planning to provide an additional hotfix for Translator that will include Log4j version 2.17.1. We plan to release this hotfix early next week.
Update – 1/4/22
TIBCO has released the following hotfixes for TIBCO Foresight Translator. These hotfixes include version 2.16.0 of Apache Log4j, which mitigates the Log4j vulnerability in Translator.
TIBCO Foresight Translator (Healthcare and Standard Editions) – 4.0.0 HF6
TIBCO Foresight Translator (Healthcare and Standard Editions) for z/Linux – 4.0.0 HF6
TIBCO Foresight Translator (Healthcare and Standard Editions) – 4.1.0 HF1
TIBCO Foresight Translator (Healthcare and Standard Editions) for z/Linux – 4.1.0 HF1
A separate notification was sent for each hotfix with instructions for applying the fix.
TIBCO is currently working on the hotfix for TIBCO Foresight Translator (Healthcare and Standard Editions) – 3.8.0.
Update – 1/3/22
The hotfix that addresses the Log4j security vulnerability will be available soon. Our target release date is 1/4/22. As mentioned previously, the hotfix will include version 2.16.0 of Apache Log4j.
Also, we have received several inquiries regarding Log4j version 2.16.0 and the latest security vulnerability reported by Apache (CVE-2021-45105). In this notification, Apache states “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.”
The logging configuration included in TIBCO Foresight Translator (Healthcare and Standard Editions) versions 4.0.0 and 4.1.0 does not utilize a non-default Pattern Layout with a Context Lookup. Therefore, TIBCO Foresight Translator is not vulnerable to this type of attack.
However, we are reviewing the requests to upgrade Log4j to version 2.17. We will provide more information about our plans to include Log4j version 2.17 in a subsequent notification.
Update – 12/20/21
TIBCO is working on the hotfix for TIBCO Foresight Translator (Healthcare and Standard Editions), versions 4.1.0, 4.0.0, 3.8.0. As mentioned previously, the hotfix will include version 2.16.0 of Apache Log4j. We will distribute another notification once it becomes available.
If you are using one of the plug-ins listed below, you will need to apply the upcoming hotfix for TIBCO Foresight Translator (Healthcare and Standard Editions), versions 4.1.0, 4.0.0, 3.8.0.
TIBCO ActiveMatrix BusinessWorks Plug-in for HL7 with FHIR
TIBCO ActiveMatrix BusinessWorks Plug-in for EDI Healthcare Edition
TIBCO ActiveMatrix BusinessWorks Plug-in for EDI Standard Edition
Instructions for applying the hotfix will be sent when the hotfix is released.
**Note** Version 3.8.0 of TIBCO Foresight Translator (Healthcare and Standard Editions) use release 1.x of Log4j, which is not affected by this vulnerability. However, Apache recommends that organizations upgrade to the latest version (2.16.0) of Apache log4j 2.
Apache Log4J Vulnerability Update – 12/16/21
Apache has announced that one of the previously recommended mitigation measures does not sufficiently address this vulnerability. “Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10.” Their new recommendation is “to upgrade Log4j to a safe version (2.16.0), or remove the JndiLookup class from the log4j-core jar.”
Log4j – Apache Log4j Security Vulnerabilities.
In light of this new announcement, TIBCO will provide hotfixes for the product(s) listed below. The hotfixes will include version 2.16.0 of Apache log4j.
TIBCO Foresight Translator (Healthcare and Standard Editions), versions 4.1.0, 4.0.0, 3.8.0
**Note** Version 3.8.0 of TIBCO Foresight Translator (Healthcare and Standard Editions) uses release 1.x of Log4j, which is not affected by this vulnerability. However, Apache recommends that organizations upgrade to the latest version (2.16.0) of Apache log4j 2.
**Note** If you are using either of the products listed below, you will not need to apply the hotfix to TIBCO Foresight Translator. These products utilize the Log4j utility that is included with TIBCO BusinessConnect. Please follow the guidance provided for TIBCO BusinessConnect to address the log4j issue.
TIBCO BusinessConnect EDI Protocol HIPAA Edition powered by Instream
TIBCO BusinessConnect EDI Protocol powered by Instream
We will provide updates as more information becomes available. Please contact TIBCO Support with any questions.
Issue/Introduction
Additional Information
|
Apache Log4J Vulnerability Update KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services |
Feedback
