TIBCO Data Virtualization Resolution and Mitigation for Apache Log4Shell Vulnerabilities

TIBCO Data Virtualization Resolution and Mitigation for Apache Log4Shell Vulnerabilities

book

Article ID: KB0072466

calendar_today

Updated On:

Products Versions
TIBCO Data Virtualization 8.5.0, 8.4.0, 8.3.0, 8.2.0

Description

TIBCO is aware of the recently announced Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, and CVE-2021-44832). TIBCO is also aware of CVE-2021-4104 and this issue was investigated as part of our response to CVE-2021-44228. It is addressed by Note 1 below.

  • TIBCO Data Virtualization versions < 8.5 are not affected (see Note 1 below)
  • TIBCO Data Virtualization 8.5.0 is affected, resolution (service pack) available

Note 1:
If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

 

Issue/Introduction

This article contains the mitigation steps for Apache Log4J vulnerabilities (CVE-2021-44228,,CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105) for the TIBCO Data Virtualization

Environment

All Supported Platforms

Resolution

TIBCO Data Virtualization 8.5.2 service pack (updating the log4j2 version to 2.17.1) is now available for download from the TIBCO eDelivery site (https://edelivery.tibco.com).  See the attached file "TDV Resolution for Log4Shell.pdf" for the details of the resolution.

Additional Information

Apache Log4J Vulnerability Update

KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services

TIBCO Data Virtualization 8.5.2 Release notes

Attachments

TIBCO Data Virtualization Resolution and Mitigation for Apache Log4Shell Vulnerabilities get_app