TIBCO iProcess Resolution and Mitigation for Apache Log4J Vulnerabilities (Log4Shell)

TIBCO iProcess Resolution and Mitigation for Apache Log4J Vulnerabilities (Log4Shell)

book

Article ID: KB0070501

calendar_today

Updated On:

Products

TIBCO iProcess Engine (Oracle) TIBCO iProcess Engine (DB2) TIBCO iProcess Technology Plug-ins

Description

TIBCO is aware of the recently announced Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832). TIBCO is aware of CVE-2021-4104 and this issue was investigated as part of our response to CVE-2021-44228. It is addressed by Note 1 below.

TIBCO continues to make the investigation and remediation of this vulnerability its top priority. We will provide updates for the TIBCO iProcess product suite via this article if more information becomes available. Please contact TIBCO Support with any questions. 
 

TIBCO iProcess products that are affected by CVE-2021-44228 and CVE-2021-45046

  • TIBCO iProcess Engine (Oracle) 11.8.x - resolution (service pack) and mitigation is available
  • TIBCO iProcess Engine (SQL) 11.8.x - resolution (service pack) and mitigation is available
  • TIBCO iProcess Engine (DB2) 11.8.x - resolution (service pack) and mitigation is available
  • TIBCO iProcess Technology Plug-ins 11.8.x - resolution (service pack) and mitigation is available
  • TIBCO iProcess Workspace Plug-ins 11.8.x - resolution (service pack) and mitigation is available
  • TIBCO iProcess Workspace (Browser) 11.8.x - resolution (service pack) and mitigation is available
  • TIBCO iProcess Web Services Server Plug-in 11.8.x - resolution (service pack) and mitigation is available
  • TIBCO iProcess Web Services Client Plug-in 11.8.x - resolution (service pack) and mitigation is available

 

TIBCO iProcess products that are not affected

  • TIBCO iProcess Engine (Oracle) 11.7.x and below
  • TIBCO iProcess Engine (SQL) 11.7.x and below
  • TIBCO iProcess Engine (DB2) 11.7.x and below
  • TIBCO iProcess Technology Plug-ins 11.7.x and below
  • TIBCO iProcess Workspace (Windows) 11.8.x and below - If the Workspace Plug-ins 11.8.0 and/or the Web Services Client Plug-in 11.8.0 are installed inside Workspace (Windows) 11.8.0, see resolution or mitigation steps.
  • TIBCO iProcess Workspace Plug-ins 11.7.x and below
  • TIBCO iProcess Workspace (Browser) 11.7.x and below
  • TIBCO iProcess Web Services Server Plug-in 11.7.x and below
  • TIBCO iProcess Web Services Client Plug-in 11.7.x and below

 

Note 1:

If you have any custom implementation where you have implemented the JMSAppender class, check them to make sure they don’t expose vulnerability CVE-2021-4104. For more details, see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301 

Note 2:

The denial of service vulnerability CVE-2021-45105 is related to certain logging patterns with context lookups. No TIBCO iProcess products use patterns with context lookups out of the box. However, if you have added such a pattern, this must be reverted. Please refer to Apache Log4j Security Vulnerabilities (https://logging.apache.org/log4j/2.x/security.html) for more information.

Note 3:

TIBCO iProcess Products are unaffected by vulnerability CVE-2021-44832

Issue/Introduction

This article contains resolution and mitigation steps for Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832) for the TIBCO iProcess product suite.

Environment

All

Resolution

Resolution

January 5th: The following Service Packs (updating Log4j2 to version 2.16.0) for iProcess Products are now available for download from the TIBCO eDelivery site (https://edelivery.tibco.com). These service packs contain a fix for CVE-2021-44228 as well as CVE-2021-45046. 
  • TIBCO iProcess Engine (Oracle) 11.8.1
  • TIBCO iProcess Engine (SQL) 11.8.1
  • TIBCO iProcess Engine (DB2) 11.8.1
  • TIBCO iProcess Technology Plug-ins 11.8.1
  • TIBCO iProcess Workspace Plug-ins 11.8.1
  • TIBCO iProcess Workspace (Browser) 11.8.1
  • TIBCO iProcess Web Services Server Plug-in 11.8.1
  • TIBCO iProcess Web Services Client Plug-in 11.8.1

Mitigation


Note: Make sure file permissions are not modified after replacing the jars.

Step 1. Download apache-log4j-2.16.0-bin.tar.gz and extract.


https://archive.apache.org/dist/logging/log4j/2.16.0/

We need these two jars after extraction:

apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar
apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar

Step 2: Delete 2.11.1 log4j jars

For iProcess Engine / iProcess Technology Plug-ins:

$SWDIR/jar/tp/log4j-core-2.11.1.jar
$SWDIR/jar/tp/log4j-api-2.11.1.jar
$SWDIR/tomcat/webapps/API/WEB-INF/lib/log4j-core-2.11.1.jar
$SWDIR/tomcat/webapps/API/WEB-INF/lib/log4j-api-2.11.1.jar
$SWDIR/sdks/deploysdk/libraries/log4j-core-2.11.1.jar
$SWDIR/sdks/deploysdk/libraries/log4j-api-2.11.1.jar
$SWDIR/eaijava/libs/bootstrap/log4j-core-2.11.1.jar
$SWDIR/eaijava/libs/bootstrap/log4j-api-2.11.1.jar

For BusinessWorks / iProcess Technology Plug-ins:

TIBCO_HOME\bw\plugins\lib\palettes\log4j-core-2.11.1.jar
TIBCO_HOME\bw\plugins\lib\palettes\log4j-api-2.11.1.jar

For iProcess Workspace (Windows ) / iProcess Workspace Plug-Ins:

IPWW_HOME\eai_bw\libs\bootstrap\log4j-core-2.11.1.jar
IPWW_HOME\eai_bw\libs\bootstrap\log4j-api-2.11.1.jar
IPWW_HOME\eaijava\libs\bootstrap\log4j-core-2.11.1.jar
IPWW_HOME\eaijava\libs\bootstrap\log4j-api-2.11.1.jar

For iProcess Workspace (Windows) / iProcess Web Services Client-Plug-in:

IPWW_HOME\eai_websvcs\libs\repository\system\log4j\log4j-core-2.11.1.jar
IPWW_HOME\eai_websvcs\libs\repository\system\log4j\log4j-api-2.11.1.jar
IPWW_HOME\java_common\libs\log4j-core-2.11.1.jar
IPWW_HOME\java_common\libs\log4j-api-2.11.1.jar

For iProcess Web Services Server-Plug-in:

JETTY_HOME/webapps/axis2/WEB-INF/lib/log4j-core-2.11.1.jar
JETTY_HOME/webapps/axis2/WEB-INF/lib/log4j-api-2.11.1.jar
JETTY_HOME/lib/ext/tibco/thirdparty/axis/log4j-core-2.11.1.jar
JETTY_HOME/lib/ext/tibco/thirdparty/axis/log4j-api-2.11.1.jar

For iProcess Workspace (Browser):

TOMCAT_HOME\webapps\TIBCOActProc\WEB-INF\lib\log4j-api-2.11.1.jar
TOMCAT_HOME\webapps\TIBCOActProc\WEB-INF\lib\log4j-core-2.11.1.jar

Step 3: Copy 2.16.0 log4j jars into the following locations:

For iProcess Engine / iProcess Technology Plug-ins:

Copy log4j-core-2.16.0.jar to $SWDIR/jar/tp/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to $SWDIR/jar/tp/log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to $SWDIR/tomcat/webapps/API/WEB-INF/lib/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to $SWDIR/tomcat/webapps/API/WEB-INF/lib/log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to $SWDIR/sdks/deploysdk/libraries/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to $SWDIR/sdks/deploysdk/libraries/log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to $SWDIR/eaijava/libs/bootstrap/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to $SWDIR/eaijava/libs/bootstrap/log4j-api-2.16.0.jar

For BusinessWorks / iProcess Technology Plug-ins:

Copy log4j-core-2.16.0.jar to TIBCO_HOME\bw\plugins\lib\palettes\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to TIBCO_HOME\bw\plugins\lib\palettes\log4j-api-2.16.0.jar

For iProcess Workspace (Windows ) / iProcess Workspace Plug-ins:

Copy log4j-core-2.16.0.jar to IPWW_HOME\eai_bw\libs\bootstrap\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to IPWW_HOME\eai_bw\libs\bootstrap\log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to IPWW_HOME\eaijava\libs\bootstrap\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to IPWW_HOME\eaijava\libs\bootstrap\log4j-api-2.16.0.jar

For iProcess Workspace (Windows) / iProcess Web Services Client-Plug-in:

Copy log4j-core-2.16.0.jar to IPWW_HOME\eai_websvcs\libs\repository\system\log4j\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to IPWW_HOME\eai_websvcs\libs\repository\system\log4j\log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to IPWW_HOME\java_common\libs\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to IPWW_HOME\java_common\libs\log4j-api-2.16.0.jar

For iProcess Web Services Server-Plug-in:

Copy log4j-core-2.16.0.jar to JETTY_HOME/webapps/axis2/WEB-INF/lib/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to JETTY_HOME/webapps/axis2/WEB-INF/lib/log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to JETTY_HOME/lib/ext/tibco/thirdparty/axis/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to JETTY_HOME/lib/ext/tibco/thirdparty/axis/log4j-api-2.16.0.jar

For iProcess Workspace (Browser):

Copy log4j-core-2.16.0.jar to TOMCAT_HOME\webapps\TIBCOActProc\WEB-INF\lib\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to TOMCAT_HOME\webapps\TIBCOActProc\WEB-INF\lib\log4j-api-2.16.0.jar

Step 4: Modify the below files/environment variables to replace 2.11.1 with 2.16.0 log4j jar file.

For iProcess Workspace (Windows) / iProcess Workspace Plug-ins / iProcess Web Service Client Plug-in:

Update the environment variable: SW_CLIENTCLASSPATH

For iProcess Workspace (Windows) / iProcess Web Services Client Plug-in update the following file:

IPWW_HOME\eai_websvcs\passwordmanager.cmd

For iProcess Engine / iProcess Technology Plug-ins / iProcess Web Services Server Plug-in on a Windows system:

Update the environment variable: SW_SYSCLASSPATH

For iProcess Engine / iProcess Technology Plug-ins on a Unix/Linux system:

Update any user environment variables that currently set SW_SYSCLASSPATH
Update the following files:
$SWDIR/eaijava/scripts/env.sh
$SWDIR/jmsadmin/upgrade.sh

For iProcess Engine (Windows/Unix/Linux):

Update the following files:
$SWDIR/etc/swjmx_classpath.properties
$SWDIR/etc/iapjms_classpath.properties

For iProcess Web Server Plug-in:

Update the following files:

JETTY_HOME/passwordmanager.cmd
JETTY_HOME/securitymanager.cmd
JETTY_HOME/urladmin.cmd       
JETTY_HOME/passwordmanager.sh
JETTY_HOME/securitymanager.sh
JETTY_HOME/urladmin.sh

If you have questions about these steps please contact TIBCO Support.

Additional Information

TIBCO's Apache Log4J Vulnerability Daily Update