TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.

TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.

This article contains the mitigation steps for Apache Log4J vulnerability (CVE-2021-44228) for the TIBCO Order Management v5.1.0.

The following steps are applicable and to be followed on top of IBCO Order Management v5.1.0 hotfix#004.

Step 1: Download the following updated jars from mentioned locations:

 1.log4j-api-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar
 
 2.log4j-core-2.16.0.jar - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/log4j-core-2.16.0.jar
 
 3.log4j-jul-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.16.0/log4j-jul-2.16.0.jar
 
 4.log4j-slf4j-impl-2.16.0 - Download Link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.16.0/log4j-slf4j-impl-2.16.0.jar

Step 2: Shut down all other TIBCO applications that are running.

Step 3: Replace updated jars for below services at location <OM_HOME>/<Service-name>/5.1/standalone/lib:

    1.Archival Service:
        1. Replace log4j-api-2.11.2 with log4j-api-2.16.0    
        2. Replace log4j-core-2.11.2 with log4j-core-2.16.0  
        
    2.OMSUI:
        1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
        2. Replace log4j-core-2.11.2 with log4j-core-2.16.0
        3. Replace log4j-jul-2.11.2 with log4j-jul-2.16.0
        4. Replace log4j-slf4j-impl-2.11.2 with log4j-slf4j-impl-2.16.0
        
    3.Orchestrator:
        1. Replace log4j-api-2.11.2 with log4j-api-2.16.0
        2. Replace log4j-core-2.11.2 with log4j-core-2.16.0
            
    4.OM migration
        1. Replace log4j-api-2.7 with log4j-api-2.16.0

Step 4: Restart all the services:
   - To start the Configurator service, navigate to the $OM_HOME/roles/
     configurator/standalone/bin directory and run ./seedConfigData.sh script,
     and then run the ./start.sh script.
 
   - To start the jeopardy service, navigate to the $OM_HOME/roles/
     jeopardy/standalone/config directory and update the application.properties file. 
     Then start the service from $OM_HOME/roles/jeopardy/standalone/bin 
     by running the ./start.sh script.

   - To start the process component service, navigate to the
     $OM_HOME/samples/processcomponent/standalone/config directory and update the 
     application.properties file for orchURL, emsServerURL, and auth.service.url parameters.
     Run the copyLib.sh script present under $OM_HOME/samples/processcomponent/standalone/bin
     directory. Then start the service from $OM_HOME/samples/processcomponent/
     standalone/bin by running the ./start.sh script.

   - To start all the other services, navigate to the
     $OM_HOME/roles/<service-name>/standalone/config directory and update the 
     application.properties file for configuratorServiceUrl 
     Also, navigate to the $OM_HOME/roles/configurator/standalone/config directory and 
     update application.properties for authorizationServiceTokenEndPoint
     Then start the service from $OM_HOME/roles/<service-name>/
     standalone/bin by running the /start.sh script.

If you have questions about these steps please contact TIBCO Support.

Apache Log4J Vulnerability Update
https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update

KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services
https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services