TIBCO is aware of the recently announced Apache Log4J vulnerabilities (CVE-2021-44228 and CVE-2021-45046). Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.

TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how these vulnerabilities may affect TIBCO products and cloud services.

See the attached documents for the initial mitigation steps for the issue. These instructions are based on the mitigation documented by Apache for different vulnerable versions of Log4j2.

We will provide updates as more information becomes available and we complete our investigation. Please contact TIBCO Support with any questions.

Document history

Version 1.1 (December 15, 2021): Updated mitigation steps based on new information provided by CVE-2021-45046.
Version 1.0 (December 14, 2021): Initial version.

Apache Log4J Vulnerability Update

• https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update

KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services

• https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services