TIBCO Offer and Price Engine: Mitigation for CVE-2021-44228 (Log4Shell)
Article ID: KB0072783
Updated On:
| Products | Versions |
|---|---|
| TIBCO Offer and Price Engine | 5.0.0 |
Description
TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.
TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
Issue/Introduction
This article contains the mitigation steps for Apache Log4J vulnerability (CVE-2021-44228) for the TIBCO Offer and Price Engine v5.0.0.
Resolution
The following steps are applicable and to be followed on top of TIBCO Offer and Price Engine v5.0.0 hotfix#002.
Step 1: Download the updated JARs.
1.log4j-api-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar
2.log4j-core-2.16.0.jar - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/log4j-core-2.16.0.jar
3.log4j-jul-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.16.0/log4j-jul-2.16.0.jar
4.log4j-slf4j-impl-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.16.0/log4j-slf4j-impl-2.16.0.jar
5.log4j-to-slf4j-2.16.0.jar - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j/2.16.0/log4j-to-slf4j-2.16.0.jar
6.disruptor-3.4.4.jar - Download Link: https://repo1.maven.org/maven2/com/lmax/disruptor/3.4.4/disruptor-3.4.4.jar
Step 2: Replace updated jars for below services at location <OPE_HOME>/docker/<Service-name>/5.0/standalone/lib:
1.Auth-Center Service:
1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
2. Replace log4j-to-slf4j-2.11.2 with log4j-to-slf4j-2.16.0
3. Add disruptor-3.4.4.jar
4. Add log4j-core-2.16.0.jar
2.MLE:
1. Replace log4j-api-2.13.3 with log4j-api-2.16.0
2. Replace log4j-core-2.13.3 with log4j-core-2.16.0
3. Replace log4j-jul-2.11.2 with log4j-jul-2.16.0
4. Replace log4j-slf4j-impl-2.11.2 with log4j-slf4j-impl-2.16.0
3.MSG Adapter:
1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
2. Replace log4j-core-2.11.2 with log4j-core-2.16.0
3. Replace log4j-jul-2.11.2 with log4j-jul-2.16.0
4. Replace log4j-slf4j-impl-2.11.2 with log4j-slf4j-impl-2.16.0
4.OPE:
1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
2. Replace log4j-core-2.11.2 with log4j-core-2.16.0
3. Replace log4j-jul-2.11.2 with log4j-jul-2.16.0
4. Replace log4j-slf4j-impl-2.11.2 with log4j-slf4j-impl-2.16.0
5.OPE Gateway:
1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
2. Replace log4j-to-slf4j-2.11.2 with log4j-to-slf4j-2.16.0
3. Add disruptor-3.4.4.jar
4. Add log4j-core-2.16.0.jar
Step 3: Start Offer and Price Engine services in any of the following ways:
a. With Docker
To start with Docker container, follow the instructions mentioned in README.txt
file present for each service at "/docker/<service_name>/5.0" location.
b. With Scripts
i. Set the following environment variables: JAVA_HOME, EMS_HOME, CONSUL_HOST,
CONSUL_PORT and AF_CONFIG_HOME (point to exact location where ope_config.xml
is present "/docker/ope/5.0/ope-config").
ii. Start the following services:
- start msgadapter service by running "/start.sh -DemsUrl=emsURL
-DemsUsername=emsUserName -DemsPassword=emsPassword" command
- start mle, ope, and authcenter services by running "start.sh" command
- start opegateway service by running
"./start.sh -DAUTH_SERVICE_ENDPOINT=authServiceUrl
-DOPE_SERVICE_ENDPOINT=opeServiceUrl
-DMLE_SERVICE_ENDPOINT=mleServiceUrl" command
If you have questions about these steps please contact TIBCO Support.
Step 1: Download the updated JARs.
1.log4j-api-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar
2.log4j-core-2.16.0.jar - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/log4j-core-2.16.0.jar
3.log4j-jul-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.16.0/log4j-jul-2.16.0.jar
4.log4j-slf4j-impl-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.16.0/log4j-slf4j-impl-2.16.0.jar
5.log4j-to-slf4j-2.16.0.jar - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j/2.16.0/log4j-to-slf4j-2.16.0.jar
6.disruptor-3.4.4.jar - Download Link: https://repo1.maven.org/maven2/com/lmax/disruptor/3.4.4/disruptor-3.4.4.jar
Step 2: Replace updated jars for below services at location <OPE_HOME>/docker/<Service-name>/5.0/standalone/lib:
1.Auth-Center Service:
1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
2. Replace log4j-to-slf4j-2.11.2 with log4j-to-slf4j-2.16.0
3. Add disruptor-3.4.4.jar
4. Add log4j-core-2.16.0.jar
2.MLE:
1. Replace log4j-api-2.13.3 with log4j-api-2.16.0
2. Replace log4j-core-2.13.3 with log4j-core-2.16.0
3. Replace log4j-jul-2.11.2 with log4j-jul-2.16.0
4. Replace log4j-slf4j-impl-2.11.2 with log4j-slf4j-impl-2.16.0
3.MSG Adapter:
1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
2. Replace log4j-core-2.11.2 with log4j-core-2.16.0
3. Replace log4j-jul-2.11.2 with log4j-jul-2.16.0
4. Replace log4j-slf4j-impl-2.11.2 with log4j-slf4j-impl-2.16.0
4.OPE:
1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
2. Replace log4j-core-2.11.2 with log4j-core-2.16.0
3. Replace log4j-jul-2.11.2 with log4j-jul-2.16.0
4. Replace log4j-slf4j-impl-2.11.2 with log4j-slf4j-impl-2.16.0
5.OPE Gateway:
1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
2. Replace log4j-to-slf4j-2.11.2 with log4j-to-slf4j-2.16.0
3. Add disruptor-3.4.4.jar
4. Add log4j-core-2.16.0.jar
Step 3: Start Offer and Price Engine services in any of the following ways:
a. With Docker
To start with Docker container, follow the instructions mentioned in README.txt
file present for each service at "/docker/<service_name>/5.0" location.
b. With Scripts
i. Set the following environment variables: JAVA_HOME, EMS_HOME, CONSUL_HOST,
CONSUL_PORT and AF_CONFIG_HOME (point to exact location where ope_config.xml
is present "/docker/ope/5.0/ope-config").
ii. Start the following services:
- start msgadapter service by running "/start.sh -DemsUrl=emsURL
-DemsUsername=emsUserName -DemsPassword=emsPassword" command
- start mle, ope, and authcenter services by running "start.sh" command
- start opegateway service by running
"./start.sh -DAUTH_SERVICE_ENDPOINT=authServiceUrl
-DOPE_SERVICE_ENDPOINT=opeServiceUrl
-DMLE_SERVICE_ENDPOINT=mleServiceUrl" command
If you have questions about these steps please contact TIBCO Support.
Additional Information
Apache Log4J Vulnerability Update
https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update
KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services
https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services
https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update
KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services
https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services
Feedback
Yes
No
Powered by
