How to mitigate Log4J Vulnerabilities in TIBCO Fulfillment Provisioning sample ex30
Article ID: KB0072168
Updated On:
| Products | Versions |
|---|---|
| TIBCO Fulfillment Provisioning | 3.9.0 |
Description
Currently, TIBCO Fulfillment Provisioning (FP) ex30 located (SW_HOME/distrib/kabira/kpsasample/samples/ex30) provides a sample how to integrate TIBCO FP within TIBCO Fulfillment Order Management.
This sample also includes a OSSJ Webservice that has a dependency on log4j 1.2.17.
The aim of this article is to provide all the steps to upgrade this log4j dependency to log4j 2.17.1.
ex30 is a FP example including :
* FOM Client Adpater
* OSS/J JMS-Profile Client Adapter (EMS)
* OSS/J WS-Profile Client Adapter
* FPOMS
***********
Environment
***********
In order to deploy OSS/J OrderManagement WS-Profile, the user must export the following variables :
SAMPLE_JAVA_HOME: a directory where to find JAVA >= 1.6 (uses $JAVA_HOME/bin/java)
MAVEN_HOME: a directory where to find Maven (uses $MAVEN_HOME/bin/mvn)
EMS_HOME: a directory where to find TIBCO EMS (uses $EMS_HOME/lib/tibjms*.jar)
GNU_TAR: a path to the GNU tar command (used to extract Jetty and Symphony)
USER_WGET: a path the wget command
This sample also includes a OSSJ Webservice that has a dependency on log4j 1.2.17.
The aim of this article is to provide all the steps to upgrade this log4j dependency to log4j 2.17.1.
ex30 is a FP example including :
* FOM Client Adpater
* OSS/J JMS-Profile Client Adapter (EMS)
* OSS/J WS-Profile Client Adapter
* FPOMS
***********
Environment
***********
In order to deploy OSS/J OrderManagement WS-Profile, the user must export the following variables :
SAMPLE_JAVA_HOME: a directory where to find JAVA >= 1.6 (uses $JAVA_HOME/bin/java)
MAVEN_HOME: a directory where to find Maven (uses $MAVEN_HOME/bin/mvn)
EMS_HOME: a directory where to find TIBCO EMS (uses $EMS_HOME/lib/tibjms*.jar)
GNU_TAR: a path to the GNU tar command (used to extract Jetty and Symphony)
USER_WGET: a path the wget command
Issue/Introduction
This article contains resolution and mitigation steps how to upgrade Apache Log4J 1.2.x to Log4j 2.17.x in TIBCO Fulfillment Provisioning sample ex30.
Environment
Linux x86_64
Resolution
The instructions below explain how to upgrade log4j dependency.
Step 1)
Due to Maven HTTPS restriction, the MAVEN_HOME variable must point to at least maven 3.6.3 version.
Step2)
The log4j dependency to 1.2.17 is located under the pom_dl_deps.xml. This file is delivered within the ossjomws client adapter. You will find it in SW_HOME/distrib/kabira/kpsa/samples/ca/ossjomws.
The pom_dl_deps.xml is a maven POM file which is used to download the war dependencies from public Maven repository
Here are the steps to be done.
The 3 dependencies "slf4j-api, slf4j-log4j12, and log4j" need to be replaced by "log4j-slf4j-impl and log4j-core". We also recommend to add the javax.jms-api.
remove from pom_dl_deps.xml:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j-version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j-version}</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
add in pom_dl_deps.xml:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>javax.jms</groupId>
<artifactId>javax.jms-api</artifactId>
<version>2.0</version>
</dependency>
Once modified, the pom_dl_deps.xml should look like the once in attachment.
Step 1)
Due to Maven HTTPS restriction, the MAVEN_HOME variable must point to at least maven 3.6.3 version.
Step2)
The log4j dependency to 1.2.17 is located under the pom_dl_deps.xml. This file is delivered within the ossjomws client adapter. You will find it in SW_HOME/distrib/kabira/kpsa/samples/ca/ossjomws.
The pom_dl_deps.xml is a maven POM file which is used to download the war dependencies from public Maven repository
Here are the steps to be done.
The 3 dependencies "slf4j-api, slf4j-log4j12, and log4j" need to be replaced by "log4j-slf4j-impl and log4j-core". We also recommend to add the javax.jms-api.
remove from pom_dl_deps.xml:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j-version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j-version}</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
add in pom_dl_deps.xml:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>javax.jms</groupId>
<artifactId>javax.jms-api</artifactId>
<version>2.0</version>
</dependency>
Once modified, the pom_dl_deps.xml should look like the once in attachment.
Attachments
Feedback
Yes
No
Powered by
