IBM Support

Are IBM® InfoSphere® Optim™ Application Retirement, Archive, Data Growth, Data Privacy and Test Data Management Solutions Impacted by the recent log4j Security Vulnerability CVEs?

Question & Answer


Question

Are IBM® InfoSphere® Optim™ Application Retirement, Archive, Data Growth, Data Privacy and Test Data Management Solutions Impacted by the recent log4j Security Vulnerability CVEs?

Answer

Are IBM® InfoSphere® Optim™ Application Retirement, Archive, Data Growth, Data Privacy and Test Data Management Solutions Impacted by the recent log4j Security Vulnerabilitie CVEs?

Currently, this includes the following CVEs:

  1. CVE-2021-45046

  2. CVE-2021-44228

  3. CVE-2021-4104

  4. CVE-2019-17571

CVE-2021-45046 and CVE-2021-44228

CVE-2021-45046 and CVE-2021-44228 are confirmed on log4j 2.x. Optim does not use this version of log4j and is therefore not vulnerable to these CVEs.

Some IBM InfoSphere Optim solutions include Open Data Manager (ODM). ODM is based off Qlik's Attunity Integration Suite (AIS). Qlik has determined that AIS is not affected by CVE-2021-44228 and other CVEs. For further information, see here: https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/bc-p/1870009

CVE-2021-4014

CVE-2021-4014 is confirmed on log4j 1.2 and is a vulnerability in the JMSAppender class. None of the instances of log4j installed by Optim are configured to use JMSAppender. However, to ensure that the JMSAppender can not be used, the org\apache\log4j\net\JMSAppender.class file can be removed from the log4j jar files.

CVE-2019-17571

CVE-2019-17571 is confirmed on log4j 1.2 and is vulnerability in the SocketServer class. None of the instances of log4j installed by Optim use the SocketServer class. To ensure that SocketServer class can not be used, the org\apache\log4j\net\SocketServer.class file can be removed from the log4j jar files.

Overview

In the below, the default locations for Windows for an all user install are as follows:

<Shared>                           C:\Program Files (x86)\IBM\SDPShared or C:\Program Files\IBM\SDPShared

<IBM-Optim-Install>        C:\IBM\InfoSphere\Optim

<IBM-Connect-Install>     C:\IBM Optim\Connect or C:\IBM\InfoSphere\Optim\Connect

For AIX and Linux, the default locations for a user install are:

<IBM-Optim-Install>       <User Home Directory>/IBM/InfoSphere/Optim

<Shared>                          <User Home Directory>/IBM/Shared

Remediation

To remediate CVE-2021-4014 and CVE 2019-17571, remove org\apache\log4j\net\JMSAppender.class and org\apache\log4j\net\SocketServer.class from the following log4j jar files. Note that you may not have all of these instances as they depend on which Optim components you have installed.

  1. <Shared>\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar
    Note that there may be multiple directories with different date/time stamps in the name. Take the same action in all of the directories.

  2. <IBM-Optim-Install>\shared\tools\optimcmd\log4j_1.2.13.jar

  3. <IBM-Optim-Install>\shared\WebSphere\AppServerCommunityEdition\repository\com\ibm\nex\com.ibm.nex.unified.app.war\11.3.0\com.ibm.nex.unified.app.war-11.3.0.war\WEB-INF\eclipse\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20200721_1741\lib\log4j_1.2.13.jar
    Note that the timestamp in the above may be different depending on the level of Optim that is installed.

  4. <IBM-Optim-Install>\shared\WebSphere\AppServerCommunityEdition\repository\com\ibm\nex\com.ibm.nex.bridge.war\11.3.0\com.ibm.nex.bridge.war-11.3.0.war\WEB-INF\eclipse\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar
    Note that the timestamp in the above may be different depending on the level of Optim that is installed.

  5. <IBM-Optim-Install>/rt/navroot/lib/log4j_1.2.15.jar (AIX and Linux only directory)

  6. <IBM-Connect-Install>\Connect\Studio\Plugins\org.apache.log4j_1.2.13.v200806030600.jar

  7. <IBM-Connect-Install>\Connect\Server\Lib\log4j-1.2.15

Detailed Instructions

Perform the following steps to remove org\apache\log4j\net\JMSAppender.class and org\apache\log4j\net\SocketServer.class from the log4j 1.2.x instances. Again, note that all instances may not appear on your system as they depend on which Optim components are installed.

Procedure for Windows

For Runtime, Web, and Designer:

  1. Stop Runtime, WASCE and/or Designer if they are running

  2. Copy <Shared>\plugins\org.apache.log4j_1.2.13.v200806030600.jar to a temporary location

    1. In the copied file, use a zip tool (7-Zip is one example) to remove the following two classes from the log4j_1.2.13.v200806030600.jar file

      • org\apache\log4j\net\JMSAppender.class

      • org\apache\log4j\net\SocketServer.class

  3. Once updated, replace the changed jar file in its original location

  4. Copy <Shared>\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar to a temporary location

    1. In the copied file, use a zip tool to remove the following two classes from the log4j_1.2.13.jar:

      • org\apache\log4j\net\JMSAppender.class

      • org\apache\log4j\net\SocketServer.class

  5. Once updated, replace the changed jar file in the following locations:

    1. <Shared>\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar

    2. <IBM-Optim-Install>\shared\tools\optimcmd\log4j_1.2.13.jar

    3. Optim Manager WAR file from deployed location <IBM-Optim-Install>\shared\WebSphere\AppServerCommunityEdition\repository\com\ibm\nex\com.ibm.nex.unified.app.war\11.3.0\com.ibm.nex.unified.app.war-11.3.0.war\WEB-INF\eclipse\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20200721_1741\lib\log4j_1.2.13.jar

    4. Optim Service Interface WAR file (Optional: Only if you are using OSI) file from deployed location <IBM-Optim-Install>\shared\WebSphere\AppServerCommunityEdition\repository\com\ibm\nex\com.ibm.nex.bridge.war\11.3.0\com.ibm.nex.bridge.war-11.3.0.war\WEB-INF\eclipse\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar

  6. After updating the above, restart Runtime, WASCE and Designer

For ODM Optim Connect Server, Studio:

  1. Stop IRPCD and/or Studio if they are running

  2. Update <Optim-Connect-Install>\Connect\Server\Lib\log4j-1.2.15.jar

    1. Use a zip tool to remove the following two classes from the log4j_1.2.15.jar

      • org\apache\log4j\net\JMSAppender.class

      • org\apache\log4j\net\SocketServer.class

  3. Update <Optim-Connect-Install>\Connect\Studio\Plugins\org.apache.log4j_1.2.13.v200806030600.jar

    1. Use a zip tool to remove the following two classes from the org.apache.log4j_1.2.13.v200806030600.jar

      • org\apache\log4j\net\JMSAppender.class

      • org\apache\log4j\net\SocketServer.class

  4. After updating the above, restart IRPCD and Studio

Procedure for AIX and Linux

For Runtime and Web:

  1. Stop Runtime and/or WASCE if they are running

  2. Update <Shared>/plugins/org.apache.log4j_1.2.13.v200806030600.jar.

    1. Use zip to remove the following two classes from the org.apache.log4j_1.2.13.v200806030600.jar

      • zip –d –q org.apache.log4j_1.2.13.v200806030600.jar org/apache/log4j/net/JMSAppender.class

      • zip –d –q org.apache.log4j_1.2.13. v200806030600.jar org/apache/log4j/net/SocketServer.class

  3. Update <Shared>/plugins/com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205/lib/log4j_1.2.13.jar

    1. Use zip to remove the following two classes from the log4j_1.2.13.jar

      • zip –d –q log4j_1.2.13.jar org/apache/log4j/net/JMSAppender.class

      • zip –d –q log4j_1.2.13.jar org/apache/log4j/net/SocketServer.class

  4. Update <IBM-Optim-Install>/shared/tools/optimcmd/ log4j_1.2.13.jar

    1. Use zip to remove the following two classes from log4j_1.2.13.jar

      • zip –d –q log4j_1.2.13.jar org/apache/log4j/net/JMSAppender.class

      • zip –d –q log4j_1.2.13.jar org/apache/log4/net/SocketServer.class

  5. Update Optim Manager WAR file in its deployed location <IBM-Optim-Install>/shared/WebSphere/AppServerCommunityEdition/repository/com/ibm/nex/com.ibm.nex.unified.app.war/11.3.0/com.ibm.nex.unified.app.war-11.3.0.war/WEB-INF/eclipse/plugins/com.ibm.nex.3rdparty.logging_11.3.0.v20200721_1741/lib/log4j_1.2.13.jar

    1. Use zip to remove the following two classes from the log4j_1.2.13.jar

      • zip –d –q log4j_1.2.13.jar org/apache/log4j/net/JMSAppender.class

      • zip –d –q log4j_1.2.13.jar org/apache/log4/net/SocketServer.class

  6. Update Optim Service Interface WAR file in its deployed location (Optional – only if you are using OSI). <IBM-Optim-Install>/shared/WebSphere/AppServerCommunityEdition/repository/com/ibm/nex/com.ibm.nex.bridge.war/11.3.0/com.ibm.nex.bridge.war-11.3.0.war/WEB-INF/eclipse/plugins/com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205/lib/log4j_1.2.13.jar

    1. Use zip to remove the following two classes from the log4j_1.2.13.jar

      • zip –d –q log4j_1.2.13.jar org/apache/log4j/net/JMSAppender.class

      • zip –d –q log4j_1.2.13.jar org/apache/log4/net/SocketServer.class

  7. After updating the above, restart Runtime and WASCE

For ODM Optim Connect Server:

  1. Stop IRPCD if it is running

  2. Update <IBM-Optim-Install>/rt/navroot/lib/log4j_1.2.15.jar

    1. Use zip to remove the following two classes from the log4j_1.2.15.jar

      • zip –d –q log4j_1.2.15.jar org/apache/log4j/net/JMSAppender.class

      • zip –d –q log4j_1.2.15.jar org/apache/log4j/net/SocketServer.class

  3. After updating the above, restart IRPCD

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMLQ4","label":"InfoSphere Optim Test Data Management Solution"},"ARM Category":[{"code":"a8m0z000000cwvEAAQ","label":"Optim Test Data Management"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"11.3.0"},{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMLNW","label":"InfoSphere Optim Data Growth Solution"},"ARM Category":[{"code":"a8m0z000000cwvAAAQ","label":"Optim Data Growth"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"11.3.0"},{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4PM9","label":"InfoSphere Optim Solution for Application Retirement"},"ARM Category":[{"code":"a8m0z000000cwv4AAA","label":"Optim Archive"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.3.0"},{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS2NEW","label":"IBM InfoSphere Optim Archive Enterprise Edition"},"ARM Category":[{"code":"a8m0z000000cwv4AAA","label":"Optim Archive"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.3.0"},{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRPUJ","label":"InfoSphere Optim Archive Workgroup Edition"},"ARM Category":[{"code":"a8m0z000000cwv4AAA","label":"Optim Archive"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.3.0"},{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRPWG","label":"InfoSphere Optim Data Privacy Workgroup Edition"},"ARM Category":[{"code":"a8m0z000000cwv9AAA","label":"Optim Data Privacy"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.3.0"},{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSSGMM","label":"IBM InfoSphere Optim Data Privacy Enterprise Edition"},"ARM Category":[{"code":"a8m0z000000cwv9AAA","label":"Optim Data Privacy"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
02 June 2022

UID

ibm16525890

Page Feedback