The log4j version 1 vulnerabilities (CVE-2021-4104 and related CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 etc) in IBM Engineering Lifecycle Management (ELM) is being mitigated in ELM version 7.0.2 in Service Release 1 (SR1) and 7.0.1 Service Release 1 (SR1).
Log4j version 1 is being replaced with log4j version 2.17 or later in ELM. Log4j version 1 libraries are not shipped with SR1.
- Customers on ELM versions before 7.0.2 are encouraged to upgrade to ELM 7.0.2 SR1 iFix 15 or later.
- Upgrade instructions are in the interactive upgrade guide.
- Customers currently on ELM version 7.0.2 must perform a side-by-side installation of ELM 7.0.2 SR1 iFix15.
- Customers currently on ELM version 7.0.1 can choose a way to remediate their systems
- Note: The side-by-side installation does not require any database updates or reindexing.
- How to perform a side-by-side installation to deploy the IBM Engineering Lifecycle Management 7.0.2 SR1 (iFix015) and 7.0.1 SR1 (iFix018)
- Client for Eclipse 4.6.x IDE
- Build System Toolkit
- Plain Java Libraries
- p2 Install Repository
- SCM Tools
- EWM Git Integration Toolkit
- Publishing 7.0.2 SR1 iFix015
- Method Composer 7.6.2 SR1
- All installations of Method Composer 7.6.1 and earlier are highly recommended to upgrade to 7.6.2 SR1.
- IBM Common Licensing Server 9.0
- IBM Engineering Systems Design Rhapsody 9.0.1 SR1 iFix003
- Rational DOORS 184.108.40.206
- IBM Engineering Requirements Management DOORS 220.127.116.11
- IBM Offline Documentation (Formerly KCCI)
- Jazz.net 7.0.2 SR1 download pages' "All downloads" tab
- Jazz.net 7.0.1 SR1 download pages' "All downloads" tab
- IBM Fix Central repository
- IBM Passport Advantage
- Downloads for the entitled versions of the latest release of each ELM product
Was this topic helpful?
11 October 2022