Resolution
January 5th: The following Service Packs (updating Log4j2 to version 2.16.0) for iProcess Products are now available for download from the TIBCO eDelivery site (
https://edelivery.tibco.com). These service packs contain a fix for CVE-2021-44228 as well as CVE-2021-45046.
- TIBCO iProcess Engine (Oracle) 11.8.1
- TIBCO iProcess Engine (SQL) 11.8.1
- TIBCO iProcess Engine (DB2) 11.8.1
- TIBCO iProcess Technology Plug-ins 11.8.1
- TIBCO iProcess Workspace Plug-ins 11.8.1
- TIBCO iProcess Workspace (Browser) 11.8.1
- TIBCO iProcess Web Services Server Plug-in 11.8.1
- TIBCO iProcess Web Services Client Plug-in 11.8.1
Mitigation
Note: Make sure file permissions are not modified after replacing the jars.
Step 1. Download apache-log4j-2.16.0-bin.tar.gz and extract.
https://archive.apache.org/dist/logging/log4j/2.16.0/We need these two jars after extraction:
apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar
apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
Step 2: Delete 2.11.1 log4j jars
For iProcess Engine / iProcess Technology Plug-ins:
$SWDIR/jar/tp/log4j-core-2.11.1.jar
$SWDIR/jar/tp/log4j-api-2.11.1.jar
$SWDIR/tomcat/webapps/API/WEB-INF/lib/log4j-core-2.11.1.jar
$SWDIR/tomcat/webapps/API/WEB-INF/lib/log4j-api-2.11.1.jar
$SWDIR/sdks/deploysdk/libraries/log4j-core-2.11.1.jar
$SWDIR/sdks/deploysdk/libraries/log4j-api-2.11.1.jar
$SWDIR/eaijava/libs/bootstrap/log4j-core-2.11.1.jar
$SWDIR/eaijava/libs/bootstrap/log4j-api-2.11.1.jar
For BusinessWorks / iProcess Technology Plug-ins:
TIBCO_HOME\bw\plugins\lib\palettes\log4j-core-2.11.1.jar
TIBCO_HOME\bw\plugins\lib\palettes\log4j-api-2.11.1.jar
For iProcess Workspace (Windows ) / iProcess Workspace Plug-Ins:
IPWW_HOME\eai_bw\libs\bootstrap\log4j-core-2.11.1.jar
IPWW_HOME\eai_bw\libs\bootstrap\log4j-api-2.11.1.jar
IPWW_HOME\eaijava\libs\bootstrap\log4j-core-2.11.1.jar
IPWW_HOME\eaijava\libs\bootstrap\log4j-api-2.11.1.jar
For iProcess Workspace (Windows) / iProcess Web Services Client-Plug-in:
IPWW_HOME\eai_websvcs\libs\repository\system\log4j\log4j-core-2.11.1.jar
IPWW_HOME\eai_websvcs\libs\repository\system\log4j\log4j-api-2.11.1.jar
IPWW_HOME\java_common\libs\log4j-core-2.11.1.jar
IPWW_HOME\java_common\libs\log4j-api-2.11.1.jar
For iProcess Web Services Server-Plug-in:
JETTY_HOME/webapps/axis2/WEB-INF/lib/log4j-core-2.11.1.jar
JETTY_HOME/webapps/axis2/WEB-INF/lib/log4j-api-2.11.1.jar
JETTY_HOME/lib/ext/tibco/thirdparty/axis/log4j-core-2.11.1.jar
JETTY_HOME/lib/ext/tibco/thirdparty/axis/log4j-api-2.11.1.jar
For iProcess Workspace (Browser):
TOMCAT_HOME\webapps\TIBCOActProc\WEB-INF\lib\log4j-api-2.11.1.jar
TOMCAT_HOME\webapps\TIBCOActProc\WEB-INF\lib\log4j-core-2.11.1.jar
Step 3: Copy 2.16.0 log4j jars into the following locations:
For iProcess Engine / iProcess Technology Plug-ins:
Copy log4j-core-2.16.0.jar to $SWDIR/jar/tp/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to $SWDIR/jar/tp/log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to $SWDIR/tomcat/webapps/API/WEB-INF/lib/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to $SWDIR/tomcat/webapps/API/WEB-INF/lib/log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to $SWDIR/sdks/deploysdk/libraries/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to $SWDIR/sdks/deploysdk/libraries/log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to $SWDIR/eaijava/libs/bootstrap/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to $SWDIR/eaijava/libs/bootstrap/log4j-api-2.16.0.jar
For BusinessWorks / iProcess Technology Plug-ins:
Copy log4j-core-2.16.0.jar to TIBCO_HOME\bw\plugins\lib\palettes\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to TIBCO_HOME\bw\plugins\lib\palettes\log4j-api-2.16.0.jar
For iProcess Workspace (Windows ) / iProcess Workspace Plug-ins:
Copy log4j-core-2.16.0.jar to IPWW_HOME\eai_bw\libs\bootstrap\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to IPWW_HOME\eai_bw\libs\bootstrap\log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to IPWW_HOME\eaijava\libs\bootstrap\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to IPWW_HOME\eaijava\libs\bootstrap\log4j-api-2.16.0.jar
For iProcess Workspace (Windows) / iProcess Web Services Client-Plug-in:
Copy log4j-core-2.16.0.jar to IPWW_HOME\eai_websvcs\libs\repository\system\log4j\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to IPWW_HOME\eai_websvcs\libs\repository\system\log4j\log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to IPWW_HOME\java_common\libs\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to IPWW_HOME\java_common\libs\log4j-api-2.16.0.jar
For iProcess Web Services Server-Plug-in:
Copy log4j-core-2.16.0.jar to JETTY_HOME/webapps/axis2/WEB-INF/lib/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to JETTY_HOME/webapps/axis2/WEB-INF/lib/log4j-api-2.16.0.jar
Copy log4j-core-2.16.0.jar to JETTY_HOME/lib/ext/tibco/thirdparty/axis/log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to JETTY_HOME/lib/ext/tibco/thirdparty/axis/log4j-api-2.16.0.jar
For iProcess Workspace (Browser):
Copy log4j-core-2.16.0.jar to TOMCAT_HOME\webapps\TIBCOActProc\WEB-INF\lib\log4j-core-2.16.0.jar
Copy log4j-api-2.16.0.jar to TOMCAT_HOME\webapps\TIBCOActProc\WEB-INF\lib\log4j-api-2.16.0.jar
Step 4: Modify the below files/environment variables to replace 2.11.1 with 2.16.0 log4j jar file.
For iProcess Workspace (Windows) / iProcess Workspace Plug-ins / iProcess Web Service Client Plug-in:
Update the environment variable: SW_CLIENTCLASSPATH
For iProcess Workspace (Windows) / iProcess Web Services Client Plug-in update the following file:
IPWW_HOME\eai_websvcs\passwordmanager.cmd
For iProcess Engine / iProcess Technology Plug-ins / iProcess Web Services Server Plug-in on a Windows system:
Update the environment variable: SW_SYSCLASSPATH
For iProcess Engine / iProcess Technology Plug-ins on a Unix/Linux system:
Update any user environment variables that currently set SW_SYSCLASSPATH
Update the following files:
$SWDIR/eaijava/scripts/env.sh
$SWDIR/jmsadmin/upgrade.sh
For iProcess Engine (Windows/Unix/Linux):
Update the following files:
$SWDIR/etc/swjmx_classpath.properties
$SWDIR/etc/iapjms_classpath.properties
For iProcess Web Server Plug-in:
Update the following files:
JETTY_HOME/passwordmanager.cmd
JETTY_HOME/securitymanager.cmd
JETTY_HOME/urladmin.cmd
JETTY_HOME/passwordmanager.sh
JETTY_HOME/securitymanager.sh
JETTY_HOME/urladmin.sh
If you have questions about these steps please contact TIBCO Support.