TIBCO BusinessWorks Ecosystem Resolution and Mitigation for Apache Log4J Vulnerabilities
Article ID: KB0072718
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks | 5.x, 6.x |
| TIBCO Cloud Integration | - |
| TIBCO Runtime Agent (TRA) | - |
Description
TIBCO is aware of the recently announced Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105).
TIBCO is also aware of CVE-2021-4104 and this issue was investigated as part of our response to CVE-2021-44228.
It is addressed by Note 1 below.
Environment
All
Resolution
This article provides the required information for the BW ecosystem - BW5, BW6, BWCE, TCI and the plugins.
Products whose current standard support versions either do not use Apache Log4J or are not on an affected version of Log4J:
- TRA 5.11.x / Administrator 5.11.x / BW 5.14.x, all BW5 adapters and plugin ecosystem and its earlier versions. See Notes 1 and 2 below.
- TCI, and all versions of BW6, BWCE, and plugin ecosystems. See Notes 1 and 2 below.
Notes:
- If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723.
- If a customer has developed their own java code or installed 3rd party libraries they should check to make sure they don't expose this vulnerability. This applies to BW5, BW6, TCI, BWCE, and the plugin ecosystems.
Affected Products with Fixes
The TRA 5.12.0 Hotfix-01 addresses CVE-2021-44228, CVE-2021-45046 for the following products:- TIBCO BusinessWorks™ 5.15
- TIBCO Administrator™ 5.12
- TIBCO ActiveMatrix® Adapter for Database 7.3
- TIBCO ActiveMatrix® Adapter for Files for Unix/Win 7.1
- TIBCO ActiveMatrix® Adapter for SAP 7.3
Issue/Introduction
This article contains the resolution and mitigation steps for Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) for the TIBCO BusinessWorks Ecosystem - 5.x, 6.x, BWCE, TCI and all adapters and plugins.
Additional Information
Apache Log4J Vulnerability Update
• https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update
KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services
• https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services
KB 000045659 TIBCO Runtime Agent 5.12.0 Hotfix-01
• https://support.tibco.com/s/article/TIBCO-Runtime-Agent-TRA-5-12-0-Hotfix-01-is-now-available
• https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update
KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services
• https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services
KB 000045659 TIBCO Runtime Agent 5.12.0 Hotfix-01
• https://support.tibco.com/s/article/TIBCO-Runtime-Agent-TRA-5-12-0-Hotfix-01-is-now-available
Feedback
Yes
No
Powered by
