Legacy ibi Releases and Apache Log4J Vulnerabilities

Legacy ibi Releases and Apache Log4J Vulnerabilities

book

Article ID: KB0072752

calendar_today

Updated On:

Products Versions
ibi WebFOCUS -
ibi Omni -
ibi FOCUS -

Description

TIBCO is aware of the recently announced Apache Log4J vulnerabilities (CVE-2021-44228 and or CVE-2021-45046). Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. These vulnerabilities theoretically enables arbitrary code to be executed on the affected system.

TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J vulnerabilities and our Product Security Incident Response Team (PSIRT) is actively evaluating how these may affect TIBCO products and cloud services.

The following releases of legacy ibi products are not impacted by CVE-2021-44228 or CVE-2021-45046, remote code execution vulnerabilities in Apache Log4J.
  • TIBCO WebFOCUS Releases 8204 and earlier
  • TIBCO Data Migrator Releases 8204 and earlier
  • TIBCO WebFOCUS App Studio (all releases) 
  • TIBCO iWay Service Manager (all releases)
  • Mainframe FOCUS (all releases)

Environment

All

Resolution

To obtain hotfixes for TIBCO WebFOCUS 8207.28, and TIBCO Omni-Gen, see the available hotfixes here

Hotfixes for legacy WebFOCUS releases (8206.33 and 8207.0 - 8207.26) are available on demand by opening a case with TIBCO Support. Note that the recommendation for anyone on the WebFOCUS 8205 release is to apply 8206.33. 

Issue/Introduction

This article describes legacy ibi product releases not impacted by Apache Log4J vulnerabilities, and how to obtain hotfixes for impacted releases.

Additional Information

Apache Log4J Vulnerability Update