StreamBase 7.7 Log4j CVE-2019-17571 Vulnerability Mitigation
Article ID: KB0072551
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 7.7 |
Description
TIBCO StreamBase 7.7 includes log4j-1.2.17.jar which contains known vulnerability CVE-2019-17571 (https://nvd.nist.gov/vuln/detail/CVE-2019-17571).
How can we be certain we are not exposed by this vulnerability?
How can we be certain we are not exposed by this vulnerability?
Issue/Introduction
StreamBase 7.7 does not expose this vulnerability by default. Non-default configuration and actions may take additional mitigation.
Resolution
As stated in our Public Notice:
Apache Log4J Vulnerability Update (https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update)
"TIBCO products or services are not impacted by CVE-2019-17571, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307."
This is correct for use of all TIBCO StreamBase 7.x releases and service packs when using the default logging and deployment configurations.
To evaluate your risk with non-default configurations, see the following.
In order to be exposed to the vulnerability identified as CVE-2019-17571 a user with sufficient local rights on the vulnerable system would have to explicitly start the SocketServer process from the command-line as so:
$ java org.apache.log4j.net.SocketServer {port} {configFile} {configDir}
as documented by Apache here:
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/SocketServer.html
The risk from CVE-2019-17571 for Log4j 1.2 is NOT EXPOSED in StreamBase 7.x since the product under default configuration or as a service does not start a Log4j SocketServer process and no Log4j Logger or Appender references it as a source. For example, StreamBase defaults to using Logback (not Log4j) for all logging except when started as a Windows Service. Since logging is configurable, customers must evaluate their own deployment and configuration customizations to ensure the above local command-line steps or their equivalent have not been introduced into the deployment process.
If required by your IT or Security department, the SocketServer implementation may be completely removed without affecting the operations and functionality of StreamBase by removing the SocketServer implementation as so (example):
$ zip -q -d log4j-1.2.17.jar org/apache/log4j/net/SocketServer.class
The default install locations for library "log4j-1.2.17.jar" are (Microsoft Windows):
C:\tibco\sb-cep\7.7\liveview\server\lib\log4j-1.2.17.jar
C:\tibco\sb-cep\7.7\lib\ext\log4j-1.2.17.jar
and (Linux):
/opt/tibco/sb-cep/7.7/liveview/server/lib/log4j-1.2.17.jar
/opt/tibco/sb-cep/7.7/lib/ext/log4j-1.2.17.jar
Apache Log4J Vulnerability Update (https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update)
"TIBCO products or services are not impacted by CVE-2019-17571, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307."
This is correct for use of all TIBCO StreamBase 7.x releases and service packs when using the default logging and deployment configurations.
To evaluate your risk with non-default configurations, see the following.
In order to be exposed to the vulnerability identified as CVE-2019-17571 a user with sufficient local rights on the vulnerable system would have to explicitly start the SocketServer process from the command-line as so:
$ java org.apache.log4j.net.SocketServer {port} {configFile} {configDir}
as documented by Apache here:
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/SocketServer.html
The risk from CVE-2019-17571 for Log4j 1.2 is NOT EXPOSED in StreamBase 7.x since the product under default configuration or as a service does not start a Log4j SocketServer process and no Log4j Logger or Appender references it as a source. For example, StreamBase defaults to using Logback (not Log4j) for all logging except when started as a Windows Service. Since logging is configurable, customers must evaluate their own deployment and configuration customizations to ensure the above local command-line steps or their equivalent have not been introduced into the deployment process.
If required by your IT or Security department, the SocketServer implementation may be completely removed without affecting the operations and functionality of StreamBase by removing the SocketServer implementation as so (example):
$ zip -q -d log4j-1.2.17.jar org/apache/log4j/net/SocketServer.class
The default install locations for library "log4j-1.2.17.jar" are (Microsoft Windows):
C:\tibco\sb-cep\7.7\liveview\server\lib\log4j-1.2.17.jar
C:\tibco\sb-cep\7.7\lib\ext\log4j-1.2.17.jar
and (Linux):
/opt/tibco/sb-cep/7.7/liveview/server/lib/log4j-1.2.17.jar
/opt/tibco/sb-cep/7.7/lib/ext/log4j-1.2.17.jar
Feedback
Yes
No
Powered by
