Resolution

The following hotfixes (updating Log4j2 to version 2.16.0) for MFT Command Center and Internet Server versions are now available for download from TIBCO Support Portal (https://support.tibco.com). These hotfixes contain a fix for CVE-2021-44228 and CVE-2021-45046:  

• TIB_mftccis_8.2.1_HF-008.zip
• TIB_mftccis_8.3.0_HF-009.zip
• TIB_mftccis_8.4.0_HF-001.zip

These hotfixes include CMAInstall.jar and CMSInstall.jar files that can be installed to upgrade log4j.  Follow the instructions in the hotfix to upgrade CMA and CMS. 

Note, these hotfixes upgrade MFT to Log4j2 version 2.16.0 instead of version 2.17.1 because MFT is not vulnerable to ​CVE-2021-45105 (Denial of Service Issue). MFT is not vulnerable to CVE-2021-45105 because MFT does not use a non-default Pattern Layout with a Context Lookup. If the hotfix is applied after applying the mitigation below, then both the log4j version 2.16.0 and log4j version 2.17.1 jar files will exist. The log4j 2.16.0 jar files should be deleted.

Mitigation

These instructions are based on the mitigation documented by Apache for different vulnerable versions of Log4j2.

TIBCO recommends replacing the log4j jar files manually as follows:

Download apache log4j version 2.17.1 from this URL:
https://logging.apache.org/log4j/2.x/download.html
Select the binary zip file:  apache-log4j-2.17.1-bin.zip
After downloading the binary zip file, unzip the file and save in a temporary directory

Here are the instructions to upgrade log4j 2.x to log4j 2.17.1
In all cases, the log4j files are located in this folder:
<MFT-Install>/server/webapps/cfcc/WEB-INF/lib

This change should be made to all Internet Server, Command Center and CMA/CMS instances.  The instructions below show the log4j files for the most current hotfix. For older hotfix levels replace all log4j 2.x jar files with the corresponding log4j 2.17.1 jar file.  Once the change has been made, you must restart the MFT Server for the change to take effect.

MFT 8.2.1:
Depending on the hotfix level, you should delete this file:
log4j-api-2.11.*.jar or log4j-api-2.12.*.jar
From the zip file, copy file log4j-api-2.17.1.jar to this directory
Restart the MFT Server

MFT 8.3.0:
Depending on the hotfix level, you should delete this file:
log4j-api-2.11.*.jar or log4j-api-2.12.*.jar
From the zip file, copy file log4j-api-2.17.1.jar to this directory
Restart the MFT Server

MFT 8.4.0:
Delete these files:
log4j-1.2-api-2.14.1.jar
log4j-api-2.14.1.jar
log4j-core-2.14.1.jar
log4j-slf4j-impl-2.14.1.jar

From the zip file, copy these file to this directory
log4j-1.2-api-2.17.1.jar
log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-slf4j-impl-2.17.1.jar
Restart the MFT Server

Connection Manager Agent
This is only required if CMA is installed AFTER applying MFT hoffix 8.3.0_HF-008 or if using the CMA for MFT 8.4.0
In all cases, the log4j files are located in this folder:
<CMA-Install>/cmaserver/webapps/connmgr/WEB-INF/lib
Depending on the hotfix level, you should delete this file:
log4j-api-2.11.*.jar or log4j-api-2.12.*.jar
From the zip file, copy file log4j-api-2.17.1.jar to this directory
Restart the CMA Server

Connection Manager Server
This is only required if CMS is installed AFTER applying MFT hoffix 8.3.0_HF-008 or if using the CMA for MFT 8.4.0
In all cases, the log4j files are located in this folder:
<CMS-Install>/cmaserver/webapps/connmgr/WEB-INF/lib
Depending on the hotfix level, you should delete this file:
log4j-api-2.11.*.jar or log4j-api-2.12.*.jar
From the zip file, copy file log4j-api-2.17.1.jar to this directory
Restart the CMS Server

Note: The Command Line Clients and the Promotion Utility include the vulnerable log4j jar files. However, since these utilities run as an individual process and are not exposed to a web server, these utilities are not vulnerable. These will be addressed in the next hotfix.