TIBCO Foresight Transaction Insight, Operational Monitor, Archive and Retrieval System, BI Bridge - BAM Extract - Mitigation for CVE-2021-44228 (Log4Shell)
Article ID: KB0107990
Updated On:
| Products | Versions |
|---|---|
| TIBCO Foresight Transaction Insight | 5.3.0, 5.2.0, 5.1.0, 5.0.0 and Service Packs 5.2.1, 5.1.1 |
| TIBCO Foresight Archive and Retrieval System | 5.3.0, 5.2.0, 5.1.0, 5.0.0 and Service Packs 5.2.1, 5.1.1 |
| TIBCO Foresight BI Bridge - BAM Extract | 4.0.0 |
Description
TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.
TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
Issue/Introduction
TIBCO Foresight Transaction Insight, Operational Monitor, Archive and Retrieval System, BI Bridge - BAM Extract - Mitigation for CVE-2021-44228 (Log4Shell) - Updated on 1/14
Environment
All supported environments
Resolution
Update – 1/14/22
TIBCO is planning to provide a hotfix for TIBCO Foresight Transaction Insight, Operational Monitor, Archive and Retrieval System, BI Bridge - BAM Extract that will include log4j 2.17. We are working to determine the release dates. Once they become available, we will distribute another notification.
Apache Log4J Vulnerability Update – 12/16/21
Apache has announced that one of the previously recommended mitigation measures does not sufficiently address this vulnerability. “Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10.” Their new recommendation is “to upgrade Log4j to a safe version (2.16.0), or remove the JndiLookup class from the log4j-core jar.”
Log4j – Apache Log4j Security Vulnerabilities.
In light of this new announcement, TIBCO has updated its remediation guidance. Hotfixes will be provided for the products listed below. The hotfixes will include 2.16.0 of Apache Log4j. While these products currently use version 1.x of Log4j, which is not affected by the vulnerability, Apache recommends that organizations upgrade to the latest version (2.16.0) of Apache log4j 2.
TIBCO Foresight Transaction Insight, versions 5.3.0, 5.2.0, 5.1.0, 5.0.0 and Service Packs 5.2.1, 5.1.1
TIBCO Foresight Operational Monitor, versions 5.3.0, 5.2.0, 5.1.0, 5.0.0 and Service Packs 5.2.1, 5.1.1
TIBCO Foresight Archive and Retrieval System, versions 5.3.0, 5.2.0, 5.1.0, 5.0.0 and Service Packs 5.2.1, 5.1.1
TIBCO Foresight BI Bridge - BAM Extract, versions 4.0.0
**Note** This affects the Healthcare and Standard editions of Transaction Insight, Operational Monitor and Archive and Retrieval System.
TIBCO is planning to provide a hotfix for TIBCO Foresight Transaction Insight, Operational Monitor, Archive and Retrieval System, BI Bridge - BAM Extract that will include log4j 2.17. We are working to determine the release dates. Once they become available, we will distribute another notification.
Apache Log4J Vulnerability Update – 12/16/21
Apache has announced that one of the previously recommended mitigation measures does not sufficiently address this vulnerability. “Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10.” Their new recommendation is “to upgrade Log4j to a safe version (2.16.0), or remove the JndiLookup class from the log4j-core jar.”
Log4j – Apache Log4j Security Vulnerabilities.
In light of this new announcement, TIBCO has updated its remediation guidance. Hotfixes will be provided for the products listed below. The hotfixes will include 2.16.0 of Apache Log4j. While these products currently use version 1.x of Log4j, which is not affected by the vulnerability, Apache recommends that organizations upgrade to the latest version (2.16.0) of Apache log4j 2.
TIBCO Foresight Transaction Insight, versions 5.3.0, 5.2.0, 5.1.0, 5.0.0 and Service Packs 5.2.1, 5.1.1
TIBCO Foresight Operational Monitor, versions 5.3.0, 5.2.0, 5.1.0, 5.0.0 and Service Packs 5.2.1, 5.1.1
TIBCO Foresight Archive and Retrieval System, versions 5.3.0, 5.2.0, 5.1.0, 5.0.0 and Service Packs 5.2.1, 5.1.1
TIBCO Foresight BI Bridge - BAM Extract, versions 4.0.0
**Note** This affects the Healthcare and Standard editions of Transaction Insight, Operational Monitor and Archive and Retrieval System.
Additional Information
|
Feedback
Yes
No
Powered by
