Question & Answer
Question
Answer
Are IBM® InfoSphere® Optim™ Application Retirement, Archive, Data Growth, Data Privacy and Test Data Management Solutions Impacted by the recent log4j Security Vulnerabilitie CVEs?
Currently, this includes the following CVEs:
-
CVE-2021-45046
-
CVE-2021-44228
-
CVE-2021-4104
-
CVE-2019-17571
CVE-2021-45046 and CVE-2021-44228
CVE-2021-45046 and CVE-2021-44228 are confirmed on log4j 2.x. Optim does not use this version of log4j and is therefore not vulnerable to these CVEs.
Some IBM InfoSphere Optim solutions include Open Data Manager (ODM). ODM is based off Qlik's Attunity Integration Suite (AIS). Qlik has determined that AIS is not affected by CVE-2021-44228 and other CVEs. For further information, see here: https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/bc-p/1870009
CVE-2021-4014
CVE-2021-4014 is confirmed on log4j 1.2 and is a vulnerability in the JMSAppender class. None of the instances of log4j installed by Optim are configured to use JMSAppender. However, to ensure that the JMSAppender can not be used, the org\apache\log4j\net\JMSAppender.class file can be removed from the log4j jar files.
CVE-2019-17571
CVE-2019-17571 is confirmed on log4j 1.2 and is vulnerability in the SocketServer class. None of the instances of log4j installed by Optim use the SocketServer class. To ensure that SocketServer class can not be used, the org\apache\log4j\net\SocketServer.class file can be removed from the log4j jar files.
Overview
In the below, the default locations for Windows for an all user install are as follows:
<Shared> C:\Program Files (x86)\IBM\SDPShared or C:\Program Files\IBM\SDPShared
<IBM-Optim-Install> C:\IBM\InfoSphere\Optim
<IBM-Connect-Install> C:\IBM Optim\Connect or C:\IBM\InfoSphere\Optim\Connect
For AIX and Linux, the default locations for a user install are:
<IBM-Optim-Install> <User Home Directory>/IBM/InfoSphere/Optim
<Shared> <User Home Directory>/IBM/Shared
Remediation
To remediate CVE-2021-4014 and CVE 2019-17571, remove org\apache\log4j\net\JMSAppender.class and org\apache\log4j\net\SocketServer.class from the following log4j jar files. Note that you may not have all of these instances as they depend on which Optim components you have installed.
-
<Shared>\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar
Note that there may be multiple directories with different date/time stamps in the name. Take the same action in all of the directories. -
<IBM-Optim-Install>\shared\tools\optimcmd\log4j_1.2.13.jar
-
<IBM-Optim-Install>\shared\WebSphere\AppServerCommunityEdition\repository\com\ibm\nex\com.ibm.nex.unified.app.war\11.3.0\com.ibm.nex.unified.app.war-11.3.0.war\WEB-INF\eclipse\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20200721_1741\lib\log4j_1.2.13.jar
Note that the timestamp in the above may be different depending on the level of Optim that is installed. -
<IBM-Optim-Install>\shared\WebSphere\AppServerCommunityEdition\repository\com\ibm\nex\com.ibm.nex.bridge.war\11.3.0\com.ibm.nex.bridge.war-11.3.0.war\WEB-INF\eclipse\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar
Note that the timestamp in the above may be different depending on the level of Optim that is installed. -
<IBM-Optim-Install>/rt/navroot/lib/log4j_1.2.15.jar (AIX and Linux only directory)
-
<IBM-Connect-Install>\Connect\Studio\Plugins\org.apache.log4j_1.2.13.v200806030600.jar
-
<IBM-Connect-Install>\Connect\Server\Lib\log4j-1.2.15
Detailed Instructions
Perform the following steps to remove org\apache\log4j\net\JMSAppender.class and org\apache\log4j\net\SocketServer.class from the log4j 1.2.x instances. Again, note that all instances may not appear on your system as they depend on which Optim components are installed.
Procedure for Windows
For Runtime, Web, and Designer:
-
Stop Runtime, WASCE and/or Designer if they are running
-
Copy <Shared>\plugins\org.apache.log4j_1.2.13.v200806030600.jar to a temporary location
-
In the copied file, use a zip tool (7-Zip is one example) to remove the following two classes from the log4j_1.2.13.v200806030600.jar file
-
org\apache\log4j\net\JMSAppender.class
-
org\apache\log4j\net\SocketServer.class
-
-
-
Once updated, replace the changed jar file in its original location
-
Copy <Shared>\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar to a temporary location
-
In the copied file, use a zip tool to remove the following two classes from the log4j_1.2.13.jar:
-
org\apache\log4j\net\JMSAppender.class
-
org\apache\log4j\net\SocketServer.class
-
-
-
Once updated, replace the changed jar file in the following locations:
-
<Shared>\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar
-
<IBM-Optim-Install>\shared\tools\optimcmd\log4j_1.2.13.jar
-
Optim Manager WAR file from deployed location <IBM-Optim-Install>\shared\WebSphere\AppServerCommunityEdition\repository\com\ibm\nex\com.ibm.nex.unified.app.war\11.3.0\com.ibm.nex.unified.app.war-11.3.0.war\WEB-INF\eclipse\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20200721_1741\lib\log4j_1.2.13.jar
-
Optim Service Interface WAR file (Optional: Only if you are using OSI) file from deployed location <IBM-Optim-Install>\shared\WebSphere\AppServerCommunityEdition\repository\com\ibm\nex\com.ibm.nex.bridge.war\11.3.0\com.ibm.nex.bridge.war-11.3.0.war\WEB-INF\eclipse\plugins\com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205\lib\log4j_1.2.13.jar
-
-
After updating the above, restart Runtime, WASCE and Designer
For ODM Optim Connect Server, Studio:
-
Stop IRPCD and/or Studio if they are running
-
Update <Optim-Connect-Install>\Connect\Server\Lib\log4j-1.2.15.jar
-
Use a zip tool to remove the following two classes from the log4j_1.2.15.jar
-
org\apache\log4j\net\JMSAppender.class
-
org\apache\log4j\net\SocketServer.class
-
-
-
Update <Optim-Connect-Install>\Connect\Studio\Plugins\org.apache.log4j_1.2.13.v200806030600.jar
-
Use a zip tool to remove the following two classes from the org.apache.log4j_1.2.13.v200806030600.jar
-
org\apache\log4j\net\JMSAppender.class
-
org\apache\log4j\net\SocketServer.class
-
-
-
After updating the above, restart IRPCD and Studio
Procedure for AIX and Linux
For Runtime and Web:
-
Stop Runtime and/or WASCE if they are running
-
Update <Shared>/plugins/org.apache.log4j_1.2.13.v200806030600.jar.
-
Use zip to remove the following two classes from the org.apache.log4j_1.2.13.v200806030600.jar
-
zip –d –q org.apache.log4j_1.2.13.v200806030600.jar org/apache/log4j/net/JMSAppender.class
-
zip –d –q org.apache.log4j_1.2.13. v200806030600.jar org/apache/log4j/net/SocketServer.class
-
-
-
Update <Shared>/plugins/com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205/lib/log4j_1.2.13.jar
-
Use zip to remove the following two classes from the log4j_1.2.13.jar
-
zip –d –q log4j_1.2.13.jar org/apache/log4j/net/JMSAppender.class
-
zip –d –q log4j_1.2.13.jar org/apache/log4j/net/SocketServer.class
-
-
-
Update <IBM-Optim-Install>/shared/tools/optimcmd/ log4j_1.2.13.jar
-
Use zip to remove the following two classes from log4j_1.2.13.jar
-
zip –d –q log4j_1.2.13.jar org/apache/log4j/net/JMSAppender.class
-
zip –d –q log4j_1.2.13.jar org/apache/log4/net/SocketServer.class
-
-
-
Update Optim Manager WAR file in its deployed location <IBM-Optim-Install>/shared/WebSphere/AppServerCommunityEdition/repository/com/ibm/nex/com.ibm.nex.unified.app.war/11.3.0/com.ibm.nex.unified.app.war-11.3.0.war/WEB-INF/eclipse/plugins/com.ibm.nex.3rdparty.logging_11.3.0.v20200721_1741/lib/log4j_1.2.13.jar
-
Use zip to remove the following two classes from the log4j_1.2.13.jar
-
zip –d –q log4j_1.2.13.jar org/apache/log4j/net/JMSAppender.class
-
zip –d –q log4j_1.2.13.jar org/apache/log4/net/SocketServer.class
-
-
-
Update Optim Service Interface WAR file in its deployed location (Optional – only if you are using OSI). <IBM-Optim-Install>/shared/WebSphere/AppServerCommunityEdition/repository/com/ibm/nex/com.ibm.nex.bridge.war/11.3.0/com.ibm.nex.bridge.war-11.3.0.war/WEB-INF/eclipse/plugins/com.ibm.nex.3rdparty.logging_11.3.0.v20181203_2205/lib/log4j_1.2.13.jar
-
Use zip to remove the following two classes from the log4j_1.2.13.jar
-
zip –d –q log4j_1.2.13.jar org/apache/log4j/net/JMSAppender.class
-
zip –d –q log4j_1.2.13.jar org/apache/log4/net/SocketServer.class
-
-
-
After updating the above, restart Runtime and WASCE
For ODM Optim Connect Server:
-
Stop IRPCD if it is running
-
Update <IBM-Optim-Install>/rt/navroot/lib/log4j_1.2.15.jar
-
Use zip to remove the following two classes from the log4j_1.2.15.jar
-
zip –d –q log4j_1.2.15.jar org/apache/log4j/net/JMSAppender.class
-
zip –d –q log4j_1.2.15.jar org/apache/log4j/net/SocketServer.class
-
-
-
After updating the above, restart IRPCD
Was this topic helpful?
Document Information
Modified date:
02 June 2022
UID
ibm16525890