Remove traces of Log4j jars with Security Vulnerabilities

The IBM Sterling B2B Integrator installation folder may have traces of Log4j 1.x or 2.x security vulnerable JAR files. These traces can be permanently removed by running the cleanup script.

About this task

Log4j JAR files, or nested Log4j JAR files inside other JAR/WAR files, may be found in all JAR/WAR files present in the installed_data, packages, and uninstall folders of the IBM Sterling B2B Integrator base installation directory. You should permanently remove all Log4j 1.x and affected Log4j 2.x JAR files (below version 2.17.2) from these folders.

Note: If vulnerable JAR files are found in other JAR/WAR files, the JAR/WAR files that contain them will be permanently removed from the system.

You can use the cleanup script to remove the JAR files with security vulnerabilities. Scripts are included in the bin folder of the IBM Sterling B2B Integrator installation directory for all supported operating systems (Windows, AIX, and Linux).

Before you run the script, ensure the following minimum requirements are met:
  • A minimum 5GB of free space on the box where IBM Sterling B2B Integrator is installed.
  • In case of Windows, provide the full path of the temporary processing directory which has the short path. For example, C:\SI\Temp.
    Note: This directory is not required to run the script on other operating systems.
  • PowerShell is installed on Windows.

To remove all the Log4j traces:

Procedure

  1. Navigate to the bin folder in the IBM Sterling B2B Integrator installation directory and locate the script file.
    • For Windows: <InstallationDir>/bin/CleanupLog4j.ps1 (Run using PowerShell only)
    • For other operating systems: <InstallationDir>/bin/CleanupLog4j.sh
  2. Grant execute permission to the user who will run the script.
    Note: The user should have read and write permissions on the IBM Sterling B2B Integrator install directory. In case of Windows, the user should also have read and write permissions on the temporary processing directory.
  3. Run the script. In case of Windows, also provide the temporary processing directory which has the shorter path.
    Note: The script will display the files that are being processed while it is running.
  4. Once the run is complete, the files will be permanently removed from your file system. The script will show the summary of deleted operation along with the locations of the logs.
    Note: The script may take up to 25 minutes to complete its run.