TIBCO is aware of the recently announced Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, and CVE-2021-44832). TIBCO is also aware of CVE-2021-4104 and this issue was investigated as part of our response to CVE-2021-44228. It is addressed by Note 1 below.

• TIBCO Data Virtualization versions < 8.5 are not affected (see Note 1 below)
• TIBCO Data Virtualization 8.5.0 is affected, resolution (service pack) available

Note 1:
If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

 

TIBCO Data Virtualization 8.5.2 service pack (updating the log4j2 version to 2.17.1) is now available for download from the TIBCO eDelivery site (https://edelivery.tibco.com).  See the attached file "TDV Resolution for Log4Shell.pdf" for the details of the resolution.

Apache Log4J Vulnerability Update

• https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update

KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services

• https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services

TIBCO Data Virtualization 8.5.2 Release notes

• https://docs.tibco.com/products/tibco-data-virtualization-8-5-2