TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.

TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.

Update – 1/24/22
TIBCO has released the following hotfixes for TIBCO Foresight Instream. These hotfixes include version 2.17.1 of Apache Log4j, which mitigates the latest security vulnerabilities reported by Apache (CVE-2021-45046 and CVE-2021-44832). 
TIBCO Foresight Instream (Healthcare and Standard Editions) – 9.0.0 HF4
TIBCO Foresight Instream (Healthcare and Standard Editions) – 9.1.0 HF9
TIBCO Foresight Instream (Healthcare and Standard Editions) for z/Linux – 9.1.0 HF9

A separate notification was sent for each hotfix with instructions for applying the fix.

TIBCO is currently working on the hotfix for TIBCO Foresight Instream (Healthcare and Standard Editions) – 8.8.0.

Update – 1/14/22
TIBCO is planning to provide an additional hotfix for Instream that will include Log4j version 2.17.1. The new targeted release date is 1/18/21.

Update – 1/6/22
TIBCO is planning to provide an additional hotfix for Instream that will include Log4j version 2.17.1. We plan to release this hotfix early next week.

Update – 12/31/21
We have received several inquiries regarding Log4j version 2.16.0 and the latest security vulnerability reported by Apache (CVE-2021-45105). In this notification, Apache states “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.”

The logging configuration included in TIBCO Foresight Instream (Healthcare and Standard Editions) versions 9.0.0 and 9.1.0 does not utilize a non-default Pattern Layout with a Context Lookup. Therefore, the hotfixes that we recently provided, which include Log4j version 2.16, are not vulnerable to this type of attack.

However, we are reviewing the requests to upgrade Log4j to version 2.17. We will provide more information about our plans to include Log4j version 2.17 in a subsequent notification.

Update – 12/22/21
TIBCO has released the following hotfixes for TIBCO Foresight Instream. These hotfixes include version 2.16.0 of Apache Log4j, which mitigates the Log4j vulnerability in Instream.

TIBCO Foresight Instream (Healthcare and Standard Editions) – 9.0.0 HF3
TIBCO Foresight Instream (Healthcare and Standard Editions) – 9.1.0 HF8
TIBCO Foresight Instream (Healthcare and Standard Editions) for z/Linux – 9.1.0 HF8

A separate notification was sent for each hotfix with instructions for applying the fix.

TIBCO is currently working on the hotfix for TIBCO Foresight Instream (Healthcare and Standard Editions) – 8.8.0.

Update – 12/20/21
TIBCO is working on the hotfix for TIBCO Foresight Instream (Healthcare and Standard Editions), versions 9.1.0, 9.0.0 and 8.8.0. As mentioned previously, the hotfix will include version 2.16.0 of Apache Log4j. We will distribute another notification once it becomes available.

Apache Log4J Vulnerability Update

• https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update

KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services

• https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services